From 22c336aa03f3dc270f49f46da229025b0c72a501 Mon Sep 17 00:00:00 2001 From: Helena Greebe Date: Wed, 11 Dec 2024 09:11:16 -0500 Subject: [PATCH] Update openssh --- Berksfile | 2 +- .../aws-parallelcluster-awsbatch/Berksfile | 2 +- .../aws-parallelcluster-awsbatch/metadata.rb | 2 +- .../aws-parallelcluster-entrypoints/Berksfile | 2 +- .../recipes/setup_envars.rb | 2 +- cookbooks/aws-parallelcluster-slurm/Berksfile | 2 +- .../aws-parallelcluster-slurm/metadata.rb | 2 +- .../third-party/openssh-2.11.15/.editorconfig | 19 + cookbooks/third-party/openssh-2.11.15/.envrc | 2 + .../openssh-2.11.15/.gitattributes | 1 + .../openssh-2.11.15/.github/CODEOWNERS | 1 + .../openssh-2.11.15/.github/workflows/ci.yml | 147 ++++++++ .../.github/workflows/stale.yml | 25 ++ .../third-party/openssh-2.11.15/.gitignore | 49 +++ .../openssh-2.11.15/.markdownlint-cli2.yaml | 7 + cookbooks/third-party/openssh-2.11.15/.mdlrc | 1 + .../openssh-2.11.15/.overcommit.yml | 24 ++ .../third-party/openssh-2.11.15/.yamllint | 15 + .../third-party/openssh-2.11.15/Berksfile | 8 + .../third-party/openssh-2.11.15/CHANGELOG.md | 357 ++++++++++++++++++ .../openssh-2.11.15/CODE_OF_CONDUCT.md | 3 + .../openssh-2.11.15/CONTRIBUTING.md | 4 + .../third-party/openssh-2.11.15/Dangerfile | 47 +++ cookbooks/third-party/openssh-2.11.15/LICENSE | 202 ++++++++++ .../third-party/openssh-2.11.15/README.md | 283 ++++++++++++++ .../third-party/openssh-2.11.15/TESTING.md | 3 + .../openssh-2.11.15/attributes/default.rb | 156 ++++++++ .../third-party/openssh-2.11.15/chefignore | 115 ++++++ .../openssh-2.11.15/documentation/.gitkeep | 0 .../openssh-2.11.15/kitchen.dokken.yml | 93 +++++ .../openssh-2.11.15/kitchen.exec.yml | 7 + .../openssh-2.11.15/kitchen.global.yml | 32 ++ .../third-party/openssh-2.11.15/kitchen.yml | 62 +++ .../openssh-2.11.15/libraries/helpers.rb | 85 +++++ .../third-party/openssh-2.11.15/metadata.rb | 27 ++ .../openssh-2.11.15/mlc_config.json | 10 + .../openssh-2.11.15/recipes/default.rb | 108 ++++++ .../openssh-2.11.15/recipes/iptables.rb | 52 +++ .../third-party/openssh-2.11.15/renovate.json | 18 + .../openssh-2.11.15/spec/spec_helper.rb | 14 + .../spec/unit/recipes/default_spec.rb | 267 +++++++++++++ .../spec/unit/recipes/default_windows_spec.rb | 136 +++++++ .../spec/unit/recipes/iptables_spec.rb | 47 +++ .../openssh-2.11.15/templates/ca_keys.erb | 7 + .../openssh-2.11.15/templates/port_ssh.erb | 8 + .../templates/revoked_keys.erb | 7 + .../openssh-2.11.15/templates/ssh_config.erb | 23 ++ .../openssh-2.11.15/templates/sshd_config.erb | 42 +++ .../test/integration/default/default_spec.rb | 26 ++ .../test/integration/iptables/default_spec.rb | 20 + .../windows-default/default_spec.rb | 37 ++ metadata.rb | 2 +- 52 files changed, 2605 insertions(+), 8 deletions(-) create mode 100755 cookbooks/third-party/openssh-2.11.15/.editorconfig create mode 100644 cookbooks/third-party/openssh-2.11.15/.envrc create mode 100644 cookbooks/third-party/openssh-2.11.15/.gitattributes create mode 100644 cookbooks/third-party/openssh-2.11.15/.github/CODEOWNERS create mode 100644 cookbooks/third-party/openssh-2.11.15/.github/workflows/ci.yml create mode 100644 cookbooks/third-party/openssh-2.11.15/.github/workflows/stale.yml create mode 100644 cookbooks/third-party/openssh-2.11.15/.gitignore create mode 100644 cookbooks/third-party/openssh-2.11.15/.markdownlint-cli2.yaml create mode 100644 cookbooks/third-party/openssh-2.11.15/.mdlrc create mode 100644 cookbooks/third-party/openssh-2.11.15/.overcommit.yml create mode 100644 cookbooks/third-party/openssh-2.11.15/.yamllint create mode 100644 cookbooks/third-party/openssh-2.11.15/Berksfile create mode 100644 cookbooks/third-party/openssh-2.11.15/CHANGELOG.md create mode 100644 cookbooks/third-party/openssh-2.11.15/CODE_OF_CONDUCT.md create mode 100644 cookbooks/third-party/openssh-2.11.15/CONTRIBUTING.md create mode 100644 cookbooks/third-party/openssh-2.11.15/Dangerfile create mode 100644 cookbooks/third-party/openssh-2.11.15/LICENSE create mode 100644 cookbooks/third-party/openssh-2.11.15/README.md create mode 100644 cookbooks/third-party/openssh-2.11.15/TESTING.md create mode 100644 cookbooks/third-party/openssh-2.11.15/attributes/default.rb create mode 100644 cookbooks/third-party/openssh-2.11.15/chefignore create mode 100644 cookbooks/third-party/openssh-2.11.15/documentation/.gitkeep create mode 100644 cookbooks/third-party/openssh-2.11.15/kitchen.dokken.yml create mode 100644 cookbooks/third-party/openssh-2.11.15/kitchen.exec.yml create mode 100644 cookbooks/third-party/openssh-2.11.15/kitchen.global.yml create mode 100644 cookbooks/third-party/openssh-2.11.15/kitchen.yml create mode 100644 cookbooks/third-party/openssh-2.11.15/libraries/helpers.rb create mode 100644 cookbooks/third-party/openssh-2.11.15/metadata.rb create mode 100644 cookbooks/third-party/openssh-2.11.15/mlc_config.json create mode 100644 cookbooks/third-party/openssh-2.11.15/recipes/default.rb create mode 100644 cookbooks/third-party/openssh-2.11.15/recipes/iptables.rb create mode 100644 cookbooks/third-party/openssh-2.11.15/renovate.json create mode 100644 cookbooks/third-party/openssh-2.11.15/spec/spec_helper.rb create mode 100644 cookbooks/third-party/openssh-2.11.15/spec/unit/recipes/default_spec.rb create mode 100644 cookbooks/third-party/openssh-2.11.15/spec/unit/recipes/default_windows_spec.rb create mode 100644 cookbooks/third-party/openssh-2.11.15/spec/unit/recipes/iptables_spec.rb create mode 100644 cookbooks/third-party/openssh-2.11.15/templates/ca_keys.erb create mode 100644 cookbooks/third-party/openssh-2.11.15/templates/port_ssh.erb create mode 100644 cookbooks/third-party/openssh-2.11.15/templates/revoked_keys.erb create mode 100644 cookbooks/third-party/openssh-2.11.15/templates/ssh_config.erb create mode 100644 cookbooks/third-party/openssh-2.11.15/templates/sshd_config.erb create mode 100644 cookbooks/third-party/openssh-2.11.15/test/integration/default/default_spec.rb create mode 100644 cookbooks/third-party/openssh-2.11.15/test/integration/iptables/default_spec.rb create mode 100644 cookbooks/third-party/openssh-2.11.15/test/integration/windows-default/default_spec.rb diff --git a/Berksfile b/Berksfile index 7ea78d317..5db1d19ed 100644 --- a/Berksfile +++ b/Berksfile @@ -11,7 +11,7 @@ cookbook "apt", path: "./cookbooks/third-party/apt-7.5.22" cookbook "iptables", path: "./cookbooks/third-party/iptables-8.0.0" cookbook "line", path: "./cookbooks/third-party/line-4.5.13" cookbook "nfs", path: "./cookbooks/third-party/nfs-5.1.2" -cookbook "openssh", path: "./cookbooks/third-party/openssh-2.11.12" +cookbook "openssh", path: "./cookbooks/third-party/openssh-2.11.15" cookbook "pyenv", path: "./cookbooks/third-party/pyenv-4.2.3" cookbook "yum", path: "./cookbooks/third-party/yum-7.4.13" cookbook "yum-epel", path: "./cookbooks/third-party/yum-epel-5.0.2" diff --git a/cookbooks/aws-parallelcluster-awsbatch/Berksfile b/cookbooks/aws-parallelcluster-awsbatch/Berksfile index 2e957a1e1..2f925eaa2 100644 --- a/cookbooks/aws-parallelcluster-awsbatch/Berksfile +++ b/cookbooks/aws-parallelcluster-awsbatch/Berksfile @@ -16,7 +16,7 @@ cookbook "apt", path: "../third-party/apt-7.5.22" cookbook "iptables", path: "../third-party/iptables-8.0.0" cookbook "line", path: "../third-party/line-4.5.13" cookbook "nfs", path: "../third-party/nfs-5.1.2" -cookbook "openssh", path: "../third-party/openssh-2.11.12" +cookbook "openssh", path: "../third-party/openssh-2.11.15" cookbook "pyenv", path: "../third-party/pyenv-4.2.3" cookbook "yum", path: "../third-party/yum-7.4.13" cookbook "yum-epel", path: "../third-party/yum-epel-5.0.2" diff --git a/cookbooks/aws-parallelcluster-awsbatch/metadata.rb b/cookbooks/aws-parallelcluster-awsbatch/metadata.rb index 213350856..3ba1491e3 100644 --- a/cookbooks/aws-parallelcluster-awsbatch/metadata.rb +++ b/cookbooks/aws-parallelcluster-awsbatch/metadata.rb @@ -13,7 +13,7 @@ depends 'iptables', '~> 8.0.0' depends 'nfs', '~> 5.1.2' depends 'line', '~> 4.5.13' -depends 'openssh', '~> 2.11.12' +depends 'openssh', '~> 2.11.15' depends 'pyenv', '~> 4.2.3' depends 'yum', '~> 7.4.13' depends 'yum-epel', '~> 5.0.2' diff --git a/cookbooks/aws-parallelcluster-entrypoints/Berksfile b/cookbooks/aws-parallelcluster-entrypoints/Berksfile index 5de9af804..52882c16f 100644 --- a/cookbooks/aws-parallelcluster-entrypoints/Berksfile +++ b/cookbooks/aws-parallelcluster-entrypoints/Berksfile @@ -13,7 +13,7 @@ cookbook "apt", path: "../third-party/apt-7.5.22" cookbook "iptables", path: "../third-party/iptables-8.0.0" cookbook "line", path: "../third-party/line-4.5.13" cookbook "nfs", path: "../third-party/nfs-5.1.2" -cookbook "openssh", path: "../third-party/openssh-2.11.12" +cookbook "openssh", path: "../third-party/openssh-2.11.15" cookbook "pyenv", path: "../third-party/pyenv-4.2.3" cookbook "yum", path: "../third-party/yum-7.4.13" cookbook "yum-epel", path: "../third-party/yum-epel-5.0.2" diff --git a/cookbooks/aws-parallelcluster-shared/recipes/setup_envars.rb b/cookbooks/aws-parallelcluster-shared/recipes/setup_envars.rb index bca17b673..d4389bb3e 100644 --- a/cookbooks/aws-parallelcluster-shared/recipes/setup_envars.rb +++ b/cookbooks/aws-parallelcluster-shared/recipes/setup_envars.rb @@ -7,7 +7,7 @@ # Copyright:: 2013-2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the -# License. A copy of the License is located at +# License. A copy of the License is located atd # # http://aws.amazon.com/apache2.0/ # diff --git a/cookbooks/aws-parallelcluster-slurm/Berksfile b/cookbooks/aws-parallelcluster-slurm/Berksfile index a0935186e..7ee3a7b15 100644 --- a/cookbooks/aws-parallelcluster-slurm/Berksfile +++ b/cookbooks/aws-parallelcluster-slurm/Berksfile @@ -10,7 +10,7 @@ cookbook "apt", path: "../third-party/apt-7.5.22" cookbook "iptables", path: "../third-party/iptables-8.0.0" cookbook "line", path: "../third-party/line-4.5.13" cookbook "nfs", path: "../third-party/nfs-5.1.2" -cookbook "openssh", path: "../third-party/openssh-2.11.12" +cookbook "openssh", path: "../third-party/openssh-2.11.15" cookbook "pyenv", path: "../third-party/pyenv-4.2.3" cookbook "yum", path: "../third-party/yum-7.4.13" cookbook "yum-epel", path: "../third-party/yum-epel-5.0.2" diff --git a/cookbooks/aws-parallelcluster-slurm/metadata.rb b/cookbooks/aws-parallelcluster-slurm/metadata.rb index c0356fffe..3e25ca94b 100644 --- a/cookbooks/aws-parallelcluster-slurm/metadata.rb +++ b/cookbooks/aws-parallelcluster-slurm/metadata.rb @@ -13,7 +13,7 @@ depends 'iptables', '~> 8.0.0' depends 'line', '~> 4.5.13' depends 'nfs', '~> 5.1.2' -depends 'openssh', '~> 2.11.12' +depends 'openssh', '~> 2.11.15' depends 'pyenv', '~> 4.2.3' depends 'yum', '~> 7.4.13' depends 'yum-epel', '~> 5.0.2' diff --git a/cookbooks/third-party/openssh-2.11.15/.editorconfig b/cookbooks/third-party/openssh-2.11.15/.editorconfig new file mode 100755 index 000000000..cc21b0460 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/.editorconfig @@ -0,0 +1,19 @@ +# https://EditorConfig.org + +# top-most EditorConfig file +root=true + +# Unix-style newlines with a newline ending every file +[*] +end_of_line = lf +insert_final_newline = true + +# 2 space indentation +indent_style = space +indent_size = 2 + +# Avoid issues parsing cookbook files later +charset = utf-8 + +# Avoid cookstyle warnings +trim_trailing_whitespace = true diff --git a/cookbooks/third-party/openssh-2.11.15/.envrc b/cookbooks/third-party/openssh-2.11.15/.envrc new file mode 100644 index 000000000..484ad2666 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/.envrc @@ -0,0 +1,2 @@ +use chefworkstation +export KITCHEN_GLOBAL_YAML=kitchen.global.yml diff --git a/cookbooks/third-party/openssh-2.11.15/.gitattributes b/cookbooks/third-party/openssh-2.11.15/.gitattributes new file mode 100644 index 000000000..6313b56c5 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/.gitattributes @@ -0,0 +1 @@ +* text=auto eol=lf diff --git a/cookbooks/third-party/openssh-2.11.15/.github/CODEOWNERS b/cookbooks/third-party/openssh-2.11.15/.github/CODEOWNERS new file mode 100644 index 000000000..7cc52a972 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/.github/CODEOWNERS @@ -0,0 +1 @@ +* @sous-chefs/maintainers diff --git a/cookbooks/third-party/openssh-2.11.15/.github/workflows/ci.yml b/cookbooks/third-party/openssh-2.11.15/.github/workflows/ci.yml new file mode 100644 index 000000000..39c508cb1 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/.github/workflows/ci.yml @@ -0,0 +1,147 @@ +--- +name: ci + +"on": + pull_request: + push: + branches: + - main + +jobs: + lint-unit: + uses: sous-chefs/.github/.github/workflows/lint-unit.yml@3.1.1 + permissions: + actions: write + checks: write + pull-requests: write + statuses: write + issues: write + + integration: + needs: lint-unit + runs-on: ubuntu-latest + strategy: + matrix: + os: + - "almalinux-8" + - "amazonlinux-2" + - "centos-7" + - "centos-stream-8" + - "debian-10" + - "debian-11" + - "fedora-latest" + - "opensuse-leap-15" + - "ubuntu-1804" + - "ubuntu-2004" + - "rockylinux-8" + suite: + - "default" + - "iptables" + exclude: + - os: "almalinux-8" + suite: "iptables" + - os: "centos-7" + suite: "iptables" + - os: "centos-stream-8" + suite: "iptables" + - os: "opensuse-leap-15" + suite: "iptables" + - os: "rockylinux-8" + suite: "iptables" + fail-fast: false + + steps: + - name: Check out code + uses: actions/checkout@v4 + - name: Install Chef + uses: actionshub/chef-install@3.0.0 + - name: Dokken + uses: actionshub/test-kitchen@3.0.0 + env: + CHEF_LICENSE: accept-no-persist + KITCHEN_LOCAL_YAML: kitchen.dokken.yml + with: + suite: ${{ matrix.suite }} + os: ${{ matrix.os }} + + integration-windows: + needs: lint-unit + runs-on: windows-latest + timeout-minutes: 20 + strategy: + matrix: + os: + - "windows-latest" + suite: + - "windows-default" + fail-fast: false + + steps: + - name: Check out code + uses: actions/checkout@v4 + - name: Install Chef + uses: actionshub/chef-install@3.0.0 + - name: Download Openssh Installer + uses: suisei-cn/actions-download-file@v1.6.0 + with: + url: https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.2.2.0p1-Beta/OpenSSH-Win64-v9.2.2.0.msi + target: installer/ + - name: Install Openssh + run: | + echo %cd% + dir installer + $file = "installer\\OpenSSH-Win64-v9.2.2.0.msi" + $log = "installer\\install.log" + $procMain = Start-Process "msiexec" "/i `"$file`" /qn /l*! `"$log`"" -NoNewWindow -PassThru + $procLog = Start-Process "powershell" "Get-Content -Path `"$log`" -Wait" -NoNewWindow -PassThru + $procMain.WaitForExit() + $procLog.Kill() + + - name: Kitchen Converge + uses: actionshub/test-kitchen@3.0.0 + env: + CHEF_LICENSE: accept-no-persist + KITCHEN_LOCAL_YAML: kitchen.exec.yml + with: + suite: ${{ matrix.suite }} + os: ${{ matrix.os }} + action: converge + - name: Kitchen Verify + uses: actionshub/test-kitchen@3.0.0 + env: + CHEF_LICENSE: accept-no-persist + KITCHEN_LOCAL_YAML: kitchen.exec.yml + with: + suite: ${{ matrix.suite }} + os: ${{ matrix.os }} + action: verify + + # unable to get SSH service to start + # integration-macos: + # needs: [mdl, yamllint, delivery] + # runs-on: macos-latest + # strategy: + # matrix: + # os: + # - 'macos-latest' + # suite: + # - 'default' + # fail-fast: false + # + # steps: + # - name: Check out code + # uses: actions/checkout@v2 + # - name: Install Chef + # uses: actionshub/chef-install@2.0.4 + # - name: test-kitchen + # uses: actionshub/test-kitchen@2.1.0 + # env: + # CHEF_LICENSE: accept-no-persist + # KITCHEN_LOCAL_YAML: kitchen.exec.yml + # with: + # suite: ${{ matrix.suite }} + # os: ${{ matrix.os }} + # - name: Print debug output on failure + # if: failure() + # run: | + # sudo syslog diff --git a/cookbooks/third-party/openssh-2.11.15/.github/workflows/stale.yml b/cookbooks/third-party/openssh-2.11.15/.github/workflows/stale.yml new file mode 100644 index 000000000..d4dae8fcf --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/.github/workflows/stale.yml @@ -0,0 +1,25 @@ +--- +name: Mark stale issues and pull requests + +"on": + schedule: [cron: "0 0 * * *"] + +jobs: + stale: + runs-on: ubuntu-latest + steps: + - uses: actions/stale@v9 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + close-issue-message: > + Closing due to inactivity. + If this is still an issue please reopen or open another issue. + Alternatively drop by the #sous-chefs channel on the [Chef Community Slack](http://community-slack.chef.io/) and we'll be happy to help! + Thanks, Sous-Chefs. + days-before-close: 7 + days-before-stale: 365 + stale-issue-message: > + Marking stale due to inactivity. + Remove stale label or comment or this will be closed in 7 days. + Alternatively drop by the #sous-chefs channel on the [Chef Community Slack](http://community-slack.chef.io/) and we'll be happy to help! + Thanks, Sous-Chefs. diff --git a/cookbooks/third-party/openssh-2.11.15/.gitignore b/cookbooks/third-party/openssh-2.11.15/.gitignore new file mode 100644 index 000000000..be3b9a8bc --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/.gitignore @@ -0,0 +1,49 @@ +*.rbc +.config +InstalledFiles +pkg +test/tmp +test/version_tmp +tmp +_Store +*~ +*# +.#* +\#*# +*.un~ +*.tmp +*.bk +*.bkup + +# editor files +.idea +.*.sw[a-z] + +# ruby/bundler/rspec files +.ruby-version +.ruby-gemset +.rvmrc +Gemfile.lock +.bundle +*.gem +coverage +spec/reports + +# YARD / rdoc artifacts +.yardoc +_yardoc +doc/ +rdoc + +# chef infra stuff +Berksfile.lock +.kitchen +kitchen.local.yml +vendor/ +.coverage/ +.zero-knife.rb +Policyfile.lock.json + +# vagrant stuff +.vagrant/ +.vagrant.d/ diff --git a/cookbooks/third-party/openssh-2.11.15/.markdownlint-cli2.yaml b/cookbooks/third-party/openssh-2.11.15/.markdownlint-cli2.yaml new file mode 100644 index 000000000..0196ac7b3 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/.markdownlint-cli2.yaml @@ -0,0 +1,7 @@ +config: + ul-indent: false # MD007 + line-length: false # MD013 + no-duplicate-heading: false # MD024 + reference-links-images: false # MD052 +ignores: + - .github/copilot-instructions.md diff --git a/cookbooks/third-party/openssh-2.11.15/.mdlrc b/cookbooks/third-party/openssh-2.11.15/.mdlrc new file mode 100644 index 000000000..9cc2c6322 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/.mdlrc @@ -0,0 +1 @@ +rules "~MD013", "~MD024", "~MD025" diff --git a/cookbooks/third-party/openssh-2.11.15/.overcommit.yml b/cookbooks/third-party/openssh-2.11.15/.overcommit.yml new file mode 100644 index 000000000..0e89a3c11 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/.overcommit.yml @@ -0,0 +1,24 @@ +--- +PreCommit: + TrailingWhitespace: + enabled: true + YamlLint: + enabled: true + required_executable: "yamllint" + ChefSpec: + enabled: true + required_executable: "chef" + command: ["chef", "exec", "rspec"] + Cookstyle: + enabled: true + required_executable: "cookstyle" + command: ["cookstyle"] + MarkdownLint: + enabled: false + required_executable: "npx" + command: ["npx", "markdownlint-cli2", "'**/*.md'"] + include: ["**/*.md"] + +CommitMsg: + HardTabs: + enabled: true diff --git a/cookbooks/third-party/openssh-2.11.15/.yamllint b/cookbooks/third-party/openssh-2.11.15/.yamllint new file mode 100644 index 000000000..0046b2379 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/.yamllint @@ -0,0 +1,15 @@ +--- +extends: default +rules: + line-length: + max: 256 + level: warning + document-start: disable + braces: + forbid: false + min-spaces-inside: 0 + max-spaces-inside: 1 + min-spaces-inside-empty: -1 + max-spaces-inside-empty: -1 + comments: + min-spaces-from-content: 1 diff --git a/cookbooks/third-party/openssh-2.11.15/Berksfile b/cookbooks/third-party/openssh-2.11.15/Berksfile new file mode 100644 index 000000000..1f382eed0 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/Berksfile @@ -0,0 +1,8 @@ +source 'https://supermarket.chef.io' + +metadata + +group :integration do + cookbook 'apt' + cookbook 'homebrew' +end diff --git a/cookbooks/third-party/openssh-2.11.15/CHANGELOG.md b/cookbooks/third-party/openssh-2.11.15/CHANGELOG.md new file mode 100644 index 000000000..949a3f7fb --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/CHANGELOG.md @@ -0,0 +1,357 @@ +# openssh Cookbook CHANGELOG + +This file is used to list changes made in each version of the openssh cookbook. + +## 2.11.15 - *2024-11-27* + +- In more recent enterprise linux (rhel, oel, etc) systems system policies are added at end of sshd config and therefor any match block needs to be closed + +## 2.11.14 - *2024-11-18* + +Standardise files with files in sous-chefs/repo-management + +Standardise files with files in sous-chefs/repo-management + +## 2.11.13 - *2024-07-15* + +Standardise files with files in sous-chefs/repo-management + +## 2.11.12 - *2024-05-23* + +Standardise files with files in sous-chefs/repo-management + +Standardise files with files in sous-chefs/repo-management + +## 2.11.11 - *2024-05-03* + +## 2.11.10 - *2024-05-03* + +## 2.11.9 - *2024-03-18* + +## 2.11.8 - *2024-03-17* + +## 2.11.7 - *2024-03-12* + +- fix sshd-keygen command location for Amazon Linux 2023 + +## 2.11.6 - *2023-12-21* + +## 2.11.5 - *2023-09-29* + +## 2.11.4 - *2023-09-11* + +## 2.11.3 - *2023-08-05* + +- resolved cookstyle error: attributes/default.rb:120:58 refactor: `Chef/RedundantCode/MultiplePlatformChecks` + +## 2.11.2 - *2023-08-04* + +Standardise files with files in sous-chefs/repo-management + +## 2.11.1 - *2023-08-04* + +- Disable PAM option on Windows + +## 2.11.0 - *2023-08-01* + +- Add Windows Support + +## 2.10.18 - *2023-07-10* + +## 2.10.17 - *2023-05-16* + +## 2.10.16 - *2023-04-17* + +## 2.10.15 - *2023-04-07* + +Standardise files with files in sous-chefs/repo-management + +## 2.10.14 - *2023-04-01* + +## 2.10.13 - *2023-04-01* + +## 2.10.12 - *2023-04-01* + +Standardise files with files in sous-chefs/repo-management + +## 2.10.11 - *2023-03-20* + +Standardise files with files in sous-chefs/repo-management + +## 2.10.10 - *2023-03-15* + +Standardise files with files in sous-chefs/repo-management + +Standardise files with files in sous-chefs/repo-management + +## 2.10.9 - *2023-02-23* + +Standardise files with files in sous-chefs/repo-management + +## 2.10.8 - *2023-02-23* + +Remove delivery + +## 2.10.7 - *2023-02-16* + +Standardise files with files in sous-chefs/repo-management + +## 2.10.6 - *2023-02-14* + +## 2.10.5 - *2023-02-14* + +Standardise files with files in sous-chefs/repo-management + +## 2.10.4 - *2022-12-08* + +Standardise files with files in sous-chefs/repo-management + +Standardise files with files in sous-chefs/repo-management + +## 2.10.3 - *2022-02-10* + +- Standardise files with files in sous-chefs/repo-management + +## 2.10.2 - *2022-02-08* + +- Remove delivery folder + +## 2.10.1 - *2022-02-01* + +- Update tested platforms + +## 2.10.0 - *2022-01-24* + +- Improved sorting of Match objects in sshd_config + +## 2.9.2 - *2021-08-30* + +- Standardise files with files in sous-chefs/repo-management + +## 2.9.1 - *2021-06-01* + +- Standardise files with files in sous-chefs/repo-management + +## 2.9.0 - *2021-02-25* + +- Sous Chefs Adoption +- Cookstyle fixes + +## 2.8.1 (2019-10-03) + +- Expand platform testing to the latest platforms - [@tas50](https://github.com/tas50) +- Move template files out of the default directory - [@tas50](https://github.com/tas50) +- Remove deprecated recipe and long_description metadata - [@tas50](https://github.com/tas50) +- Remove EOL opensuse platform from the metadata - [@tas50](https://github.com/tas50) +- Cookstyle fixes in the library - [@tas50](https://github.com/tas50) +- Add RHEL 8 docker container support - [@tas50](https://github.com/tas50) + +## 2.8.0 (2019-05-06) + +- This release greatly improves the default attributes on openSUSE/SLES systems +- Update test kitchen config - [@tas50](https://github.com/tas50) +- Add code owners file - [@tas50](https://github.com/tas50) +- Cookstyle fixes - [@tas50](https://github.com/tas50) +- Remove testing of EOL Ubuntu 14.04 - [@tas50](https://github.com/tas50) +- Move the service name to a helper - [@tas50](https://github.com/tas50) +- Fix the roaming test for Amazon Linux 2 - [@tas50](https://github.com/tas50) +- Add opensuseleap 15 testing and Chef 14 testing - [@tas50](https://github.com/tas50) +- Disable roaming on SLES 15 as well - [@tas50](https://github.com/tas50) +- Support generating ssh keys in opensuse 15 containers - [@tas50](https://github.com/tas50) +- Move use_roaming attribute default logic to a helper - [@tas50](https://github.com/tas50) +- Configure the subystem properly on SUSE platform family - [@tas50](https://github.com/tas50) +- Move ssh host key determination to a helper with SLES 15 support - [@tas50](https://github.com/tas50) +- Make sure we return true when supported - [@tas50](https://github.com/tas50) +- Modernize the specs for the new ChefSpec release - [@tas50](https://github.com/tas50) +- Add platform version helpers for readability - [@tas50](https://github.com/tas50) +- Default specs to 18.04 - [@tas50](https://github.com/tas50) +- Avoid FC warning - [@tas50](https://github.com/tas50) +- Disable opensuse 15 testing for now - [@tas50](https://github.com/tas50) + +## 2.7.1 (2018-11-01) + +- Add support for multiple subsystems +- Use template verify property instead of notify to handle configuration verification so we don't ever template out a non-functional config + +## 2.7.0 (2018-07-24) + +- Add support for array values under a host hash and added indentation for host values + +## 2.6.3 (2018-03-19) + +- Support Amazon Linux 2 in containers + +## 2.6.2 (2018-03-02) + +- Swap Chef 12 testing for Chef 14 testing +- Create the privilege separation directory on debian/ubuntu, which is not always there on Docker images +- Add Ubuntu 18.04 testing + +## 2.6.1 (2017-11-30) + +- Generate missing ssh keys on amazon linux as well. This impacts containers where ssh keys have not already been generated + +## 2.6.0 (2017-10-18) + +- Fixed trusted user CA key documentation +- Collapse the smartos hostkey attributes into the centos 6 attributes since they were the same values +- Make sure the hostkey attribute works when RHEL 8 comes out by not constraining the version check too much +- Run sshd-keygen on Fedora / CentOS 7 when host keys are missing. Why would keys be missing? Well if you've never run sshd then you don't have keys on RHEL/Fedora. This happens primarily when you try to Chef a container +- Add Testing on Chef 12 to Travis so we test both 12 and 13 +- Move the flat helper methods into an actual library that is properly loaded + +## 2.5.0 (2017-09-16) + +- Added TrustedUserCAKeys and RevokedKeys support +- Enabled Foodcritic FC024 again +- Generate keys on systemd boxes before validating configs by starting sshd-keygen service if it exists. This prevents failures in docker +- Use multipackage installs to install client/server packages to speed up the chef run +- Add Debian 9 testing in Travis +- Add more platforms to Chefspecs, avoid deprecation warnings, and greatly speed up specs + +## 2.4.1 (2017-05-22) + +- Fix a bug that resulted in RHEL 6 cert paths being incorrect and expanded testing to check ssh login behavior not just config validation. + +## 2.4.0 (2017-05-11) + +- Config fixes for the sshd config on Amazon Linux +- Use the correct ssh host keys on RHEL 6 +- Use the right sftp subsystem on Debian and Fedora +- Make sure the hostkeys are set on Debian/Ubuntu + +## 2.3.1 (2017-04-20) + +- Fix AIX service to skip enable since AIX does not support enable + +## 2.3.0 (2017-04-19) + +- Add basic AIX support + +## 2.2.0 (2017-04-03) + +- Test with Local Delivery instead of Rake +- Initial Amazon Linux support for Chef 13 + +## 2.1.1 (2017-01-03) + +- Fix for sftp on rhel +- Add all supported SUSE releases to the readme and metadata + +## 2.1.0 (2016-09-18) + +- Add support for multiple sshd ports. +- Switch to kitchen-dokken for integration testing in Travis CI +- EL7 intentionally lacks of auto-gen'd DSA key +- Fix commented default for ciphers and macs +- Add chef_version metadata +- Remove hostnames from the templates +- Basic Mac OS support +- Avoid node.set deprecation warnings +- Require Chef 12.1+ +- Fix inspec tests +- Remove the service provider logic that isn't necessary in Chef 12 +- Set the sftp subsystem on Ubuntu + +## 2.0.0 (2016-03-18) + +- Don't set the Roaming No directive on RHEL systems before 7.0 as they ship with a sshd release which does not handle this directive +- Depend on the newer iptables cookbook, which bumps the required Chef release for this cookbook to 12.0+ + +## 1.6.1 (2016-01-20) + +- Restored sshd restarting post config change + +## 1.6.0 (2016-01-14) + +- Removed the default['openssh']['rootgroup'] attribute and instead use root_group which was introduced in Chef 11.6.0 +- UseRoaming no is now set in the client config to resolve CVE-2016-0777 and CVE-2016-0778 +- Converted bats integration test to 2 suites of Inspec tests +- Added a libary to sort sshd_config entries while keeping port at the top to prevent sshd from failing to start + +## 1.5.2 (2015-06-29) + +- Use the complete path to sshd when verifying the config file since sbin may not be in the path + +## 1.5.0 (2015-06-24) + +- Perform a config syntax check before restarting the sshd so we don't break remote access to hosts +- Add support for Ubuntu 15.04+ with systemd +- Added a chefignore file +- Added Gitter badge for asking questions in a Gitter chat room + +## 1.4.0 (2015-05-01) + +- 42 - Fixed support for SmartOS +- 46 - Correct ArchLinux service name +- 43 - Correct OpenSSH server package name on RHEL, Fedora +- 31 - Allow included iptables rule to use the same port number if defined in attributes. +- 41 - Fix default recipe order +- 47 - Fix up iptables rule +- 49 - Fixed the print_last_log attribute in the Readme +- Updated Test Kitchen config with all supported platforms +- Updated Test Kitchen / Foodcritic / Rubocop / Berkshelf depedencies in the Gemfile +- Replaced Travis Ruby 1.9.3/2.0.0 testing with 2.1.5/2.2.0 +- Resolved all Rubocop warnings + +## v1.3.4 (2014-04-23) + +- [COOK-4576] - No way to override `AuthorizedKeysFile` +- [COOK-4584] - Use Upstart on Ubuntu 12.04 +- [COOK-4585] - skip match block in template if empty or unset +- [COOK-4586] OpenSSH Gentoo support + +## v1.3.2 + +### Bug + +- **[COOK-3995](https://tickets.chef.io/browse/COOK-3995)** - sshd_config template needs ordering +- **[COOK-3910](https://tickets.chef.io/browse/COOK-3910)** - ssh fails to start in Ubuntu 13.10 +- **[COOK-2073](https://tickets.chef.io/browse/COOK-2073)** - Add support for Match block + +## v1.3.0 + +### Improvement + +- **[COOK-3644](https://tickets.chef.io/browse/COOK-3644)** - Add FreeBSD support +- **[COOK-2517](https://tickets.chef.io/browse/COOK-2517)** - Add hash support +- **[COOK-2000](https://tickets.chef.io/browse/COOK-2000)** - Make mode of sshd_config a configurable option + +### Bug + +- **[COOK-3558](https://tickets.chef.io/browse/COOK-3558)** - Fix RSA Server Config Options +- **[COOK-3557](https://tickets.chef.io/browse/COOK-3557)** - Fix PubkeyAuthentication option + +## v1.2.2 + +### Bug + +- **[COOK-3304](https://tickets.chef.io/browse/COOK-3304)** - Fix error setting Dynamic `ListenAddresses` + +## v1.2.0 + +### Improvement + +- [COOK-2647]: `port_ssh` iptables template has no corresponding recipe + +## v1.1.4 + +- [COOK-2225] - Add platform_family suse + +## v1.1.2 + +- [COOK-1954] - Fix attribute camel case to match `man sshd_config` +- [COOK-1889] - SSH restarting on each chef run due to template changes + +## v1.1.0 + +- [COOK-1663] - Configurable ListenAddress based off list of interface names +- [COOK-1685] - Make default sshd_config value more robust + +## v1.0.0 + +- [COOK-1014] - Templates for ssh(d).conf files. + +## v0.8.1 + +- Current public release diff --git a/cookbooks/third-party/openssh-2.11.15/CODE_OF_CONDUCT.md b/cookbooks/third-party/openssh-2.11.15/CODE_OF_CONDUCT.md new file mode 100644 index 000000000..20b4adbd7 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/CODE_OF_CONDUCT.md @@ -0,0 +1,3 @@ +# Community Guidelines + +This project follows the Chef Community Guidelines diff --git a/cookbooks/third-party/openssh-2.11.15/CONTRIBUTING.md b/cookbooks/third-party/openssh-2.11.15/CONTRIBUTING.md new file mode 100644 index 000000000..c76e180fc --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/CONTRIBUTING.md @@ -0,0 +1,4 @@ +# Contributing + +Please refer to +[https://github.com/chef-cookbooks/community_cookbook_documentation/blob/main/CONTRIBUTING.MD](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/main/CONTRIBUTING.MD) diff --git a/cookbooks/third-party/openssh-2.11.15/Dangerfile b/cookbooks/third-party/openssh-2.11.15/Dangerfile new file mode 100644 index 000000000..bc08b7aeb --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/Dangerfile @@ -0,0 +1,47 @@ +# Reference: http://danger.systems/reference.html + +# A pull request summary is required. Add a description of the pull request purpose. +# Changelog must be updated for each pull request that changes code. +# Warnings will be issued for: +# Pull request with more than 400 lines of code changed +# Pull reqest that change more than 5 lines without test changes +# Failures will be issued for: +# Pull request without summary +# Pull requests with code changes without changelog entry + +def code_changes? + code = %w(libraries attributes recipes resources files templates) + code.each do |location| + return true unless git.modified_files.grep(/#{location}/).empty? + end + false +end + +def test_changes? + tests = %w(spec test kitchen.yml kitchen.dokken.yml) + tests.each do |location| + return true unless git.modified_files.grep(/#{location}/).empty? + end + false +end + +failure 'Please provide a summary of your Pull Request.' if github.pr_body.length < 10 + +warn 'This is a big Pull Request.' if git.lines_of_code > 400 + +warn 'This is a Table Flip.' if git.lines_of_code > 2000 + +# Require a CHANGELOG entry for non-test changes. +if !git.modified_files.include?('CHANGELOG.md') && code_changes? + failure 'Please include a CHANGELOG entry.' +end + +# Require Major Minor Patch version labels +unless github.pr_labels.grep /minor|major|patch/i + warn 'Please add a release label to this pull request' +end + +# A sanity check for tests. +if git.lines_of_code > 5 && code_changes? && !test_changes? + warn 'This Pull Request is probably missing tests.' +end diff --git a/cookbooks/third-party/openssh-2.11.15/LICENSE b/cookbooks/third-party/openssh-2.11.15/LICENSE new file mode 100644 index 000000000..8f71f43fe --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/LICENSE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/cookbooks/third-party/openssh-2.11.15/README.md b/cookbooks/third-party/openssh-2.11.15/README.md new file mode 100644 index 000000000..d2f5e9c44 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/README.md @@ -0,0 +1,283 @@ +# openssh Cookbook + +[![Cookbook Version](https://img.shields.io/cookbook/v/openssh.svg)](https://supermarket.chef.io/cookbooks/openssh) +[![CI State](https://github.com/sous-chefs/openssh/workflows/ci/badge.svg)](https://github.com/sous-chefs/openssh/actions?query=workflow%3Aci) +[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers) +[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors) +[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0) + +Installs and configures OpenSSH client and daemon. + +## Maintainers + +This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit [sous-chefs.org](https://sous-chefs.org/) or come chat with us on the Chef Community Slack in [#sous-chefs](https://chefcommunity.slack.com/messages/C2V7B88SF). + +## Requirements + +### Platforms + +- Debian/Ubuntu +- RHEL/CentOS/Scientific/Oracle +- Fedora +- FreeBSD +- Suse Enterprise Linux +- openSUSE / openSUSE leap +- AIX 7.1 +- Windows + +### Chef + +- Chef 12.1+ + +### Cookbooks + +- iptables + +## Recipes + +### default + +Installs openssh packages, manages the sshd config file, configure trusted ca keys, configure revoked keys, and starts/enables the sshd service. + +### iptables + +Creates an iptables firewall rule to allow inbound SSH connections. + +## Usage + +Apply the default recipe to the node's run_list to ensure that the openssh packages are installed, sshd is configured, and the service is started and enabled + +## Attributes List + +The attributes list is dynamically generated, and lines up with the default openssh configs. + +This means anything located in [sshd_config](http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5) or [ssh_config](http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5) can be used in your node attributes. + +- If the option can be entered more then once, use an _Array_, otherwise, use a _String_. If the option is host-specific use a `Hash` (please see below for more details). +- Each attribute is stored as ruby case, and converted to camel case for the config file on the fly. +- The current default attributes match the stock `ssh_config` and `sshd_config` provided by openssh. +- The namespace for `sshd_config` is `node['openssh']['server']`. +- Likewise, the namespace for `ssh_config` is `node['openssh']['client']`. +- An attribute can be an `Array`, a `Hash` or a `String`. +- If it is an `Array`, each item in the array will get it's own line in the config file. +- `Hash` attributes are meant to used with `ssh_config` namespace to create host-specific configurations. The keys of the `Hash` will be used as the `Host` entries and their associated entries as the configuration values. +- All the values in openssh are commented out in the `attributes/default.rb` file for a base starting point. +- There is one special attribute name, which is `match`. This is not included in the default template like the others. `node['openssh']['server']['match']` must be a Hash, where the key is the match pattern criteria and the value should be a Hash of normal keywords and values. The same transformations listed above apply to these keywords. To get improved sorting of match items, you can prefix the key with a number. See examples below. + +## Dynamic ListenAddress + +Pass in a `Hash` of interface names, and IP address type(s) to bind sshd to. This will expand to a list of IP addresses which override the default `node['openssh']['server']['listen_address']` value. + +## Examples and Common usage + +These can be mixed and matched in roles and attributes. Please note, it is possible to get sshd into a state that it will not run. If this is the case, you will need to login via an alternate method and debug sshd like normal. + +### No Password logins + +This requires use of identity files to connect + +```json +"openssh": { + "server": { + "password_authentication": "no" + } +} +``` + +### Change sshd Port + +```json +"openssh": { + "server": { + "port": "14188" + } +} +``` + +### Match + +```json +"openssh": { + "server": { + "match": { + "Address 192.168.1.0/24": { + "password_authentication": "yes" + }, + "Group admins": { + "permit_tunnel": "yes", + "max_sessions": "20" + } + } + } +} +``` + +### Match with sorting + +```json +"openssh": { + "server": { + "match": { + "0 User foobar": { + "force_command": "internal-sftp -d /home/%u -l VERBOSE" + }, + "Group admins": { + "force_command": "internal-sftp -d /home/admins -l VERBOSE" + } + } + } +} +``` + +### Enable X Forwarding + +```json +"openssh": { + "server": { + "x11_forwarding": "yes" + } +} +``` + +### Bind to a specific set of address (this example actually binds to all) + +Not to be used with `node['openssh']['listen_interfaces']`. + +```json +"openssh": { + "server": { + "address_family": "any", + "listen_address": [ "192.168.0.1", "::" ] + } + } +} +``` + +### Bind to the addresses tied to a set of interfaces + +```json +"openssh": { + "listen_interfaces": { + "eth0": "inet", + "eth1": "inet6" + } +} +``` + +### Configure Trusted User CA Keys + +```json +"openssh": { + "ca_keys": [ + "ssh-rsa key... ca_id_1", + "ssh-rsa key... ca_id_2" + ] +} +``` + +### Configure Revoked Keys + +```json +"openssh": { + "server": { + "revoked_keys": [ + "ssh-rsa key... user_key_1", + "ssh-rsa key... user_key_2" + ] + } +} +``` + +### Host-specific configurations with hashes + +You can use a `Hash` with `node['openssh']['client']` to configure different values for different hosts. + +```json +"client": { + "*": { + "g_s_s_a_p_i_authentication": "yes", + "send_env": "LANG LC_*", + "hash_known_hosts": "yes" + }, + "localhost": { + "user_known_hosts_file": "/dev/null", + "strict_host_key_checking": "no" + }, + "127.0.0.1": { + "user_known_hosts_file": "/dev/null", + "strict_host_key_checking": "no" + }, + "other*": { + "user_known_hosts_file": "/dev/null", + "strict_host_key_checking": "no" + } +} +``` + +The keys are used as values with the `Host` entries. So, the configuration fragment shown above generates: + +```text +Host * +SendEnv LANG LC_* +HashKnownHosts yes +GSSAPIAuthentication yes +Host localhost +StrictHostKeyChecking no +UserKnownHostsFile /dev/null +Host 127.0.0.1 +StrictHostKeyChecking no +UserKnownHostsFile /dev/null +Host other* +StrictHostKeyChecking no +UserKnownHostsFile /dev/null +``` + +### SSH Subsystems + +Configure multiple SSH subsystems (e.g. sftp, netconf): + +```json +"openssh": { + "server": { + "subsystem": { + "sftp": "/usr/lib/openssh/sftp-server", + "appX": "/usr/sbin/appX" + } + } +} +``` + +Former declaration of single subsystem: + +```json +"openssh": { + "server": { + "subsystem": "sftp /usr/lib/openssh/sftp-server" + } +} +``` + +## Contributors + +This project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890&button=false) + +### Backers + +Thank you to all our backers! + +![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600&avatarHeight=40) + +### Sponsors + +Support this project by becoming a sponsor. Your logo will show up here with a link to your website. + +![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100) +![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100) diff --git a/cookbooks/third-party/openssh-2.11.15/TESTING.md b/cookbooks/third-party/openssh-2.11.15/TESTING.md new file mode 100644 index 000000000..5a7d00191 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/TESTING.md @@ -0,0 +1,3 @@ +# Testing + +Please refer to [the community cookbook documentation on testing](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/main/TESTING.MD). diff --git a/cookbooks/third-party/openssh-2.11.15/attributes/default.rb b/cookbooks/third-party/openssh-2.11.15/attributes/default.rb new file mode 100644 index 000000000..2243ba853 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/attributes/default.rb @@ -0,0 +1,156 @@ +# +# Cookbook:: openssh +# Attributes:: default +# +# Author:: Ernie Brodeur +# Copyright:: 2008-2019, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Attributes are commented out using the default config file values. +# Uncomment the ones you need, or set attributes in a role. +# + +default['openssh']['package_name'] = case node['platform_family'] + when 'rhel', 'fedora', 'amazon' + %w(openssh-clients openssh-server) + when 'arch', 'suse', 'gentoo' + %w(openssh) + when 'freebsd', 'smartos', 'mac_os_x', 'aix', 'windows' + %w() + else + %w(openssh-client openssh-server) + end + +default['openssh']['config_mode'] = if platform_family?('rhel', 'fedora', 'amazon', 'aix') + '0600' + else + '0644' + end + +# trusted ca keys +default['openssh']['ca_keys'] = %w() +# revoked keys +default['openssh']['revoked_keys'] = %w() + +# ssh config group +default['openssh']['client']['host'] = '*' + +# Workaround for CVE-2016-0777 and CVE-2016-0778. +# Older versions of RHEL should not receive this directive +default['openssh']['client']['use_roaming'] = 'no' +# default['openssh']['client']['forward_agent'] = 'no' +# default['openssh']['client']['forward_x11'] = 'no' +# default['openssh']['client']['rhosts_rsa_authentication'] = 'no' +# default['openssh']['client']['rsa_authentication'] = 'yes' +# default['openssh']['client']['password_authentication'] = 'yes' +# default['openssh']['client']['host_based_authentication'] = 'no' +# default['openssh']['client']['gssapi_authentication'] = 'no' +# default['openssh']['client']['gssapi_delegate_credentials'] = 'no' +# default['openssh']['client']['batch_mode'] = 'no' +# default['openssh']['client']['check_host_ip'] = 'yes' +# default['openssh']['client']['address_family'] = 'any' +# default['openssh']['client']['connect_timeout'] = '0' +# default['openssh']['client']['strict_host_key_checking'] = 'ask' +# default['openssh']['client']['identity_file'] = '~/.ssh/identity' +# default['openssh']['client']['identity_file_rsa'] = '~/.ssh/id_rsa' +# default['openssh']['client']['identity_file_dsa'] = '~/.ssh/id_dsa' +# default['openssh']['client']['port'] = '22' +# default['openssh']['client']['protocol'] = [ '2 1' ] +# default['openssh']['client']['cipher'] = '3des' +# default['openssh']['client']['ciphers'] = 'aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc' +# default['openssh']['client']['macs'] = 'hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160' +# default['openssh']['client']['escape_char'] = '~' +# default['openssh']['client']['tunnel'] = 'no' +# default['openssh']['client']['tunnel_device'] = 'any:any' +# default['openssh']['client']['permit_local_command'] = 'no' +# default['openssh']['client']['visual_host_key'] = 'no' +# default['openssh']['client']['proxy_command'] = 'ssh -q -W %h:%p gateway.example.com' +# sshd config group +# default['openssh']['server']['port'] = '22' +# default['openssh']['server']['address_family'] = 'any' +# default['openssh']['server']['listen_address'] = [ '0.0.0.0 ::' ] +# default['openssh']['server']['protocol'] = '2' +# default['openssh']['server']['host_key_v1'] = '/etc/ssh/ssh_host_key' +# default['openssh']['server']['host_key_rsa'] = '/etc/ssh/ssh_host_rsa_key' +# default['openssh']['server']['host_key_dsa'] = '/etc/ssh/ssh_host_dsa_key' + +# modern platforms don't generate DSA keys by default and older platforms don't support +# ed25519 keys, but if you tell sshd to look for all of them it will spam syslog with +# whatever it can't find so choose a sane set of supported keys based on version using +# a helper method. +default['openssh']['server']['host_key'] = supported_ssh_host_keys + +# default['openssh']['server']['host_key_ecdsa'] = '/etc/ssh/ssh_host_ecdsa_key' +# default['openssh']['server']['key_regeneration_interval'] = '1h' +# default['openssh']['server']['server_key_bits'] = '1024' +# default['openssh']['server']['syslog_facility'] = 'AUTH' +# default['openssh']['server']['log_level'] = 'INFO' +# default['openssh']['server']['login_grace_time'] = '2m' +# default['openssh']['server']['permit_root_login'] = 'yes' +# default['openssh']['server']['strict_modes'] = 'yes' +# default['openssh']['server']['max_auth_tries'] = '6' +# default['openssh']['server']['max_sessions'] = '10' +# default['openssh']['server']['r_s_a_authentication'] = 'yes' +# default['openssh']['server']['pubkey_authentication'] = 'yes' +# default['openssh']['server']['authorized_keys_file'] = '%h/.ssh/authorized_keys' +# default['openssh']['server']['rhosts_r_s_a_authentication'] = 'no' +# default['openssh']['server']['host_based_authentication'] = 'no' +# default['openssh']['server']['ignore_user_known_hosts'] = 'no' +# default['openssh']['server']['ignore_rhosts'] = 'yes' +default['openssh']['server']['password_authentication'] = 'no' if platform?('amazon') +# default['openssh']['server']['permit_empty_passwords'] = 'no' +default['openssh']['server']['challenge_response_authentication'] = 'no' +# default['openssh']['server']['kerberos_authentication'] = 'no' +# default['openssh']['server']['kerberos_or_localpasswd'] = 'yes' +# default['openssh']['server']['kerberos_ticket_cleanup'] = 'yes' +# default['openssh']['server']['kerberos_get_afs_token'] = 'no' +# default['openssh']['server']['gssapi_authentication'] = 'no' +# default['openssh']['server']['gssapi_clean_up_credentials'] = 'yes' +default['openssh']['server']['use_p_a_m'] = 'yes' unless platform_family?('smartos', 'windows') +# default['openssh']['server']['allow_agent_forwarding'] = 'yes' +# default['openssh']['server']['allow_tcp_forwarding'] = 'yes' +# default['openssh']['server']['gateway_ports'] = 'no' +# default['openssh']['server']['x11_forwarding'] = 'no' +# default['openssh']['server']['x11_display_offset'] = '10' +# default['openssh']['server']['x11_use_localhost'] = 'yes' +# default['openssh']['server']['print_motd'] = 'yes' +# default['openssh']['server']['print_last_log'] = 'yes' +# default['openssh']['server']['t_c_p_keep_alive'] = 'yes' +# default['openssh']['server']['use_login'] = 'no' +# default['openssh']['server']['use_privilege_separation'] = 'yes' +# default['openssh']['server']['permit_user_environment'] = 'no' +# default['openssh']['server']['compression'] = 'delayed' +# default['openssh']['server']['client_alive_interval'] = '0' +# default['openssh']['server']['client_alive_count_max'] = '3' +# default['openssh']['server']['use_dns'] = 'yes' +# default['openssh']['server']['pid_file'] = '/var/run/sshd.pid' +# default['openssh']['server']['max_startups'] = '10' +# default['openssh']['server']['permit_tunnel'] = 'no' +# default['openssh']['server']['chroot_directory'] = 'none' +# default['openssh']['server']['banner'] = 'none' +# default['openssh']['server']['subsystem'] = 'sftp /usr/libexec/sftp-server' +default['openssh']['server']['trusted_user_c_a_keys'] = if platform_family?('windows') + join_path(base_ssh_config_dir, 'ca_userkeys.pub') + else + '/etc/ssh/ca_keys' + end +default['openssh']['server']['revoked_keys'] = if platform_family?('windows') + join_path(base_ssh_config_dir, 'revoked_keys') + else + '/etc/ssh/revoked_keys' + end +default['openssh']['server']['subsystem'] = 'sftp /usr/libexec/openssh/sftp-server' if platform_family?('rhel', 'amazon', 'fedora') +default['openssh']['server']['subsystem'] = 'sftp /usr/lib/openssh/sftp-server' if platform_family?('debian') +default['openssh']['server']['subsystem'] = 'sftp /usr/lib/ssh/sftp-server' if platform_family?('suse') +default['openssh']['server']['match'] = {} diff --git a/cookbooks/third-party/openssh-2.11.15/chefignore b/cookbooks/third-party/openssh-2.11.15/chefignore new file mode 100644 index 000000000..a27b0b258 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen*.yml +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/cookbooks/third-party/openssh-2.11.15/documentation/.gitkeep b/cookbooks/third-party/openssh-2.11.15/documentation/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/cookbooks/third-party/openssh-2.11.15/kitchen.dokken.yml b/cookbooks/third-party/openssh-2.11.15/kitchen.dokken.yml new file mode 100644 index 000000000..998bb20cb --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/kitchen.dokken.yml @@ -0,0 +1,93 @@ +driver: + name: dokken + privileged: true + chef_version: <%= ENV['CHEF_VERSION'] || 'current' %> + +transport: { name: dokken } +provisioner: { name: dokken } + +platforms: + - name: almalinux-8 + driver: + image: dokken/almalinux-8 + pid_one_command: /usr/lib/systemd/systemd + + - name: almalinux-9 + driver: + image: dokken/almalinux-9 + pid_one_command: /usr/lib/systemd/systemd + + - name: almalinux-10 + driver: + image: dokken/almalinux-10 + pid_one_command: /usr/lib/systemd/systemd + + - name: amazonlinux-2023 + driver: + image: dokken/amazonlinux-2023 + pid_one_command: /usr/lib/systemd/systemd + + - name: centos-stream-9 + driver: + image: dokken/centos-stream-9 + pid_one_command: /usr/lib/systemd/systemd + + - name: centos-stream-10 + driver: + image: dokken/centos-stream-10 + pid_one_command: /usr/lib/systemd/systemd + + - name: debian-11 + driver: + image: dokken/debian-11 + pid_one_command: /bin/systemd + + - name: debian-12 + driver: + image: dokken/debian-12 + pid_one_command: /bin/systemd + + - name: fedora-latest + driver: + image: dokken/fedora-latest + pid_one_command: /usr/lib/systemd/systemd + + - name: opensuse-leap-15 + driver: + image: dokken/opensuse-leap-15 + pid_one_command: /usr/lib/systemd/systemd + + - name: oraclelinux-8 + driver: + image: dokken/oraclelinux-8 + pid_one_command: /usr/lib/systemd/systemd + + - name: oraclelinux-9 + driver: + image: dokken/oraclelinux-9 + pid_one_command: /usr/lib/systemd/systemd + + - name: rockylinux-8 + driver: + image: dokken/rockylinux-8 + pid_one_command: /usr/lib/systemd/systemd + + - name: rockylinux-9 + driver: + image: dokken/rockylinux-9 + pid_one_command: /usr/lib/systemd/systemd + + - name: ubuntu-20.04 + driver: + image: dokken/ubuntu-20.04 + pid_one_command: /bin/systemd + + - name: ubuntu-22.04 + driver: + image: dokken/ubuntu-22.04 + pid_one_command: /bin/systemd + + - name: ubuntu-24.04 + driver: + image: dokken/ubuntu-24.04 + pid_one_command: /bin/systemd diff --git a/cookbooks/third-party/openssh-2.11.15/kitchen.exec.yml b/cookbooks/third-party/openssh-2.11.15/kitchen.exec.yml new file mode 100644 index 000000000..ba7b2a962 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/kitchen.exec.yml @@ -0,0 +1,7 @@ +--- +driver: { name: exec } +transport: { name: exec } + +platforms: + - name: macos-latest + - name: windows-latest diff --git a/cookbooks/third-party/openssh-2.11.15/kitchen.global.yml b/cookbooks/third-party/openssh-2.11.15/kitchen.global.yml new file mode 100644 index 000000000..1740e4614 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/kitchen.global.yml @@ -0,0 +1,32 @@ +--- +provisioner: + name: chef_infra + product_name: chef + product_version: <%= ENV['CHEF_VERSION'] || 'latest' %> + channel: stable + install_strategy: once + chef_license: accept + enforce_idempotency: <%= ENV['ENFORCE_IDEMPOTENCY'] || true %> + multiple_converge: <%= ENV['MULTIPLE_CONVERGE'] || 2 %> + deprecations_as_errors: true + log_level: <%= ENV['CHEF_LOG_LEVEL'] || 'auto' %> + +verifier: + name: inspec + +platforms: + - name: almalinux-8 + - name: almalinux-9 + - name: amazonlinux-2023 + - name: centos-stream-9 + - name: debian-11 + - name: debian-12 + - name: fedora-latest + - name: opensuse-leap-15 + - name: oraclelinux-8 + - name: oraclelinux-9 + - name: rockylinux-8 + - name: rockylinux-9 + - name: ubuntu-20.04 + - name: ubuntu-22.04 + - name: ubuntu-24.04 diff --git a/cookbooks/third-party/openssh-2.11.15/kitchen.yml b/cookbooks/third-party/openssh-2.11.15/kitchen.yml new file mode 100644 index 000000000..e05331dbc --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/kitchen.yml @@ -0,0 +1,62 @@ +--- +driver: + name: vagrant + +provisioner: + name: chef_zero + product_name: chef + deprecations_as_errors: true + chef_license: accept-no-persist + +verifier: + name: inspec + +platforms: + - name: amazonlinux-2 + - name: centos-7 + - name: centos-stream-8 + - name: debian-10 + - name: debian-10 + - name: freebsd-12 + - name: fedora-latest + - name: opensuse-leap-15 + - name: ubuntu-18.04 + - name: ubuntu-20.04 + - name: macosx-10.15 + driver_config: + box: tas50/macos_10.15 + provider: vmware_desktop + - name: windows-2016 + driver_config: + box: tas50/windows_2016 + - name: windows-2019 + driver_config: + box: tas50/windows_2019 + +suites: + - name: default + run_list: openssh::default + excludes: + - windows-2016 + - windows-2019 + - windows-latest + - name: iptables + run_list: + - openssh::default + - openssh::iptables + excludes: + - almalinux-8 + - centos-7 + - centos-stream-8 + - macosx-10.15 + - opensuse-leap-15 + - rockylinux-8 + - windows-2016 + - windows-2019 + - windows-latest + - name: windows-default + run_list: openssh::default + includes: + - windows-2016 + - windows-2019 + - windows-latest diff --git a/cookbooks/third-party/openssh-2.11.15/libraries/helpers.rb b/cookbooks/third-party/openssh-2.11.15/libraries/helpers.rb new file mode 100644 index 000000000..a1f557b56 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/libraries/helpers.rb @@ -0,0 +1,85 @@ +# +# Cookbook:: openssh +# library:: helpers +# +# Copyright:: 2016-2019, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Attributes are commented out using the default config file values. +# Uncomment the ones you need, or set attributes in a role. +# + +module Openssh + module Helpers + def openssh_server_options + options = node['openssh']['server'].sort.reject { |key, _value| key == 'port' || key == 'match' || key == 'subsystem' } + unless node['openssh']['server']['port'].nil? + port = node['openssh']['server'].select { |key| key == 'port' }.to_a + options.unshift(*port) + end + options + end + + # are we on a platform that has the sshd-keygen command. It's a redhat-ism so it's a limited number + def keygen_platform? + return true if platform?('amazon', 'fedora') + return true if rhel_7_plus? + opensuse_15_plus? + end + + # are any of the host keys defined in the attribute missing from the filesystem + def sshd_host_keys_missing? + !node['openssh']['server']['host_key'].all? { |f| ::File.exist?(f) } + end + + def openssh_service_name + if platform_family?('rhel', 'fedora', 'suse', 'freebsd', 'gentoo', 'arch', 'mac_os_x', 'amazon', 'aix', 'windows') + 'sshd' + else + 'ssh' + end + end + + def base_ssh_config_dir + platform_family?('windows') ? 'C:\\ProgramData\\ssh' : '/etc/ssh' + end + + def base_ssh_bin_dir + platform_family?('windows') ? 'C:\\Program Files\\OpenSSH' : '/usr/sbin/' + end + + def join_path(*path) + Chef::Util::PathHelper.cleanpath(::File.join(path)) + end + + def supported_ssh_host_keys + keys = [join_path(base_ssh_config_dir, 'ssh_host_rsa_key'), join_path(base_ssh_config_dir, 'ssh_host_ecdsa_key')] + keys << join_path(base_ssh_config_dir, 'ssh_host_dsa_key') if platform_family?('smartos', 'suse', 'windows') + keys << join_path(base_ssh_config_dir, 'ssh_host_ed25519_key') if rhel_7_plus? || platform?('amazon', 'fedora') || platform_family?('debian', 'windows') || opensuse_15_plus? + keys + end + + def rhel_7_plus? + platform_family?('rhel') && node['platform_version'].to_i >= 7 + end + + def opensuse_15_plus? + platform_family?('suse') && node['platform_version'].to_i >= 15 && node['platform_version'].to_i < 42 + end + end +end + +Chef::Resource.include ::Openssh::Helpers +Chef::DSL::Recipe.include ::Openssh::Helpers +Chef::Node.include ::Openssh::Helpers diff --git a/cookbooks/third-party/openssh-2.11.15/metadata.rb b/cookbooks/third-party/openssh-2.11.15/metadata.rb new file mode 100644 index 000000000..f13ebba7f --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/metadata.rb @@ -0,0 +1,27 @@ +name 'openssh' +maintainer 'Sous Chefs' +maintainer_email 'help@sous-chefs.org' +license 'Apache-2.0' +description 'Installs and configures OpenSSH client and daemon' +version '2.11.15' +source_url 'https://github.com/sous-chefs/openssh' +issues_url 'https://github.com/sous-chefs/openssh/issues' +chef_version '>= 12.15' + +supports 'aix' +supports 'amazon' +supports 'arch' +supports 'centos' +supports 'fedora' +supports 'freebsd' +supports 'opensuseleap' +supports 'oracle' +supports 'redhat' +supports 'scientific' +supports 'smartos' +supports 'suse' +supports 'ubuntu' +supports 'windows' +supports 'zlinux' + +depends 'iptables', '>= 7.0' diff --git a/cookbooks/third-party/openssh-2.11.15/mlc_config.json b/cookbooks/third-party/openssh-2.11.15/mlc_config.json new file mode 100644 index 000000000..9ffd3ef0d --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/mlc_config.json @@ -0,0 +1,10 @@ +{ + "ignorePatterns": [ + { + "pattern": "^https://tickets.chef.io/browse/COOK" + }, + { + "pattern": "^https://opencollective.com/sous-chefs/contributors.svg" + } + ] +} \ No newline at end of file diff --git a/cookbooks/third-party/openssh-2.11.15/recipes/default.rb b/cookbooks/third-party/openssh-2.11.15/recipes/default.rb new file mode 100644 index 000000000..165cfd23a --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/recipes/default.rb @@ -0,0 +1,108 @@ +# +# Cookbook:: openssh +# Recipe:: default +# +# Copyright:: 2008-2019, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +def listen_addr_for(interface, type) + interface_node = node['network']['interfaces'][interface]['addresses'] + interface_node.select { |_address, data| data['family'] == type }.keys[0] +end + +package node['openssh']['package_name'] unless node['openssh']['package_name'].empty? + +template join_path(base_ssh_config_dir, 'ssh_config') do + source 'ssh_config.erb' + mode '0644' unless platform_family?('windows') + owner 'root' unless platform_family?('windows') + group node['root_group'] +end + +if node['openssh']['listen_interfaces'] + listen_addresses = [].tap do |a| + node['openssh']['listen_interfaces'].each_pair do |interface, type| + a << listen_addr_for(interface, type) + end + end + + node.default['openssh']['server']['listen_address'] = listen_addresses +end + +template 'sshd_ca_keys_file' do + source 'ca_keys.erb' + path node['openssh']['server']['trusted_user_c_a_keys'] + mode node['openssh']['config_mode'] unless platform_family?('windows') + owner 'root' unless platform_family?('windows') + group node['root_group'] +end + +template 'sshd_revoked_keys_file' do + source 'revoked_keys.erb' + path node['openssh']['server']['revoked_keys'] + mode node['openssh']['config_mode'] unless platform_family?('windows') + owner 'root' unless platform_family?('windows') + group node['root_group'] +end + +# this will only execute on RHEL / Fedora systems where sshd has never been started +# 99.99% of the time this is going to be a docker container +if keygen_platform? && sshd_host_keys_missing? + if platform_family?('fedora', 'rhel', 'amazon') && node['platform_version'].to_i >= 8 # fedora, RHEL 8+, Amazonlinux 2023+ + node['openssh']['server']['host_key'].each do |key| + keytype = key.split('_')[-2] + execute "/usr/libexec/openssh/sshd-keygen #{keytype}" + end + elsif platform_family?('rhel', 'amazon') # RHEL < 8 or Amazon Linux 2 + execute '/usr/sbin/sshd-keygen' + elsif platform_family?('suse') + execute '/usr/sbin/sshd-gen-keys-start' + end +end + +# we probably need this on multiple platforms but we 100% need it on debian based platforms +if platform_family?('debian') + dir = platform?('ubuntu') && node['platform_version'].to_i >= 18 ? '/run/sshd' : '/var/run/sshd' + directory dir +end + +default_sshd_path = if platform_family?('windows') + "\"#{join_path(base_ssh_bin_dir, 'sshd.exe')}\"" + else + join_path(base_ssh_bin_dir, 'sshd') + end + +template join_path(base_ssh_config_dir, 'sshd_config') do + source 'sshd_config.erb' + mode node['openssh']['config_mode'] unless platform_family?('windows') + owner 'root' unless platform_family?('windows') + group node['root_group'] + variables(options: openssh_server_options) + verify "#{default_sshd_path} -t -f %{path}" + notifies :restart, 'service[ssh]' +end + +service 'ssh' do + service_name openssh_service_name + supports value_for_platform_family( + %w(debian rhel fedora aix) => [:restart, :reload, :status], + %w(arch) => [:restart], + 'default' => [:restart, :reload] + ) + action value_for_platform_family( + %w(aix) => [:start], + 'default' => [:enable, :start] + ) +end diff --git a/cookbooks/third-party/openssh-2.11.15/recipes/iptables.rb b/cookbooks/third-party/openssh-2.11.15/recipes/iptables.rb new file mode 100644 index 000000000..eecd05a46 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/recipes/iptables.rb @@ -0,0 +1,52 @@ +# +# Cookbook:: openssh +# Recipe:: iptables +# +# Copyright:: 2013-2019, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# The iptables cookbook doesn't support Windows +return if platform_family?('windows') + +iptables_packages 'install iptables' +iptables_service 'start iptables' + +sshd_port = if node['openssh'].attribute?('server') && node['openssh']['server'].attribute?('port') + if node['openssh']['server']['port'].is_a?(Array) + node['openssh']['server']['port'] + else + [node['openssh']['server']['port']] + end + else + [22] + end + +sshd_port.each do |port| + iptables_rule 'ssh_input' do + chain :INPUT + jump 'ACCEPT' + protocol 'tcp' + match 'tcp' + extra_options "--dport #{port}" + end + + iptables_rule 'ssh_output' do + chain :OUTPUT + jump 'ACCEPT' + protocol 'tcp' + match 'tcp' + extra_options "--sport #{port}" + end +end diff --git a/cookbooks/third-party/openssh-2.11.15/renovate.json b/cookbooks/third-party/openssh-2.11.15/renovate.json new file mode 100644 index 000000000..a0b29c85c --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/renovate.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": ["config:base"], + "packageRules": [ + { + "groupName": "Actions", + "matchUpdateTypes": ["minor", "patch", "pin"], + "automerge": true, + "addLabels": ["Release: Patch", "Skip: Announcements"] + }, + { + "groupName": "Actions", + "matchUpdateTypes": ["major"], + "automerge": false, + "addLabels": ["Release: Patch", "Skip: Announcements"] + } + ] +} diff --git a/cookbooks/third-party/openssh-2.11.15/spec/spec_helper.rb b/cookbooks/third-party/openssh-2.11.15/spec/spec_helper.rb new file mode 100644 index 000000000..5ce676375 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/spec/spec_helper.rb @@ -0,0 +1,14 @@ +require 'chefspec' +require 'chefspec/berkshelf' + +RSpec.configure do |config| + config.color = true # Use color in STDOUT + config.formatter = :documentation # Use the specified formatter + config.log_level = :error # Avoid deprecation notice SPAM + config.platform = 'ubuntu' + config.version = '18.04' +end + +def join_path(*path) + Chef::Util::PathHelper.cleanpath(::File.join(path)) +end diff --git a/cookbooks/third-party/openssh-2.11.15/spec/unit/recipes/default_spec.rb b/cookbooks/third-party/openssh-2.11.15/spec/unit/recipes/default_spec.rb new file mode 100644 index 000000000..ffc203956 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/spec/unit/recipes/default_spec.rb @@ -0,0 +1,267 @@ +require 'spec_helper' + +describe 'openssh::default' do + it 'writes the ssh_config' do + template = chef_run.template('/etc/ssh/ssh_config') + expect(template).to be + expect(template.mode).to eq('0644') + expect(template.owner).to eq('root') + expect(template.group).to eq('root') + end + + describe 'sshd_config' do + it 'writes the sshd_config' do + template = chef_run.template('/etc/ssh/sshd_config') + expect(template).to be + expect(template.mode).to eq('0644') + expect(template.owner).to eq('root') + expect(template.group).to eq('root') + end + + it 'allow legacy default AuthorizedKeysFile behavior' do + expect(chef_run).to_not render_file('/etc/ssh/sshd_config').with_content(/AuthorizedKeysFile.*/) + end + + it 'writes a match group block' do + chef_run.node.override['openssh']['server']['match'] = { 'Group admins' => { 'permit_tunnel' => 'yes' } } + chef_run.converge('openssh::default') + expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content(/Match Group admins\n\s\sPermitTunnel yes/) + end + + it 'skips match group block' do + chef_run.node.override['openssh']['server']['match'] = {} + chef_run.converge('openssh::default') + expect(chef_run).to_not render_file('/etc/ssh/sshd_config').with_content(/Match Group admins\n\s\sPermitTunnel yes/) + end + + it 'write multiple SSH subsystems from Hash' do + chef_run.node.override['openssh']['server']['subsystem'] = { + sftp: '/usr/lib/openssh/sftp-server', + test: '/my/subsystem/bin', + } + chef_run.converge('openssh::default') + expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content(%r{Subsystem sftp \/usr\/lib\/openssh\/sftp-server\nSubsystem test.*}) + end + + it 'skips subsystems block' do + chef_run.node.override['openssh']['server']['subsystem'] = {} + chef_run.converge('openssh::default') + expect(chef_run).to_not render_file('/etc/ssh/sshd_config').with_content(/^Subsystem?/) + end + + it 'supports legacy subsystem format' do + chef_run.node.override['openssh']['server']['subsystem'] = 'sftp /usr/lib/openssh/sftp-server' + chef_run.converge('openssh::default') + expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content(%r{Subsystem sftp \/usr\/lib\/openssh\/sftp-server\n}) + end + + it 'allows subsystem from Array attribute' do + chef_run.node.override['openssh']['server']['subsystem'] = [ + 'sftp /usr/lib/openssh/sftp-server', + 'test /my/subsystem/bin', + ] + chef_run.converge('openssh::default') + expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content(%r{Subsystem sftp \/usr\/lib\/openssh\/sftp-server\nSubsystem test.*}) + end + + context 'port set without listen address set' do + cached(:chef_run) do + ChefSpec::SoloRunner.new(platform: 'ubuntu', version: '20.04') do |node| + node.normal['openssh']['server']['port'] = 1234 + end.converge('openssh::default') + end + + it 'writes out port at the top of the config' do + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/# Do NOT modify this file by hand!\n\nPort 1234/) + end + end + + context 'supports multiple ports' do + cached(:chef_run) do + ChefSpec::SoloRunner.new do |node| + node.normal['openssh']['server']['port'] = [1234, 1235] + end.converge('openssh::default') + end + + it 'writes both ports to sshd_config' do + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/Port 1234/) + .with_content(/Port 1235/) + end + end + + context 'supports ca keys and revoked keys' do + cached(:chef_run) do + ChefSpec::SoloRunner.new do |node| + node.normal['openssh']['ca_keys'] = ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJt7VN0YkI2jVnWUod8I/Qy9Am4lq0VOmFUTbzrMVTM8iut8E7heWu8G5QsDFLi3BNcU5wnwWO8rTWZZh1CJq6+zVn010rUYZhDxjlvFD4ZOUrN4RqsxSPBAaW2tgNXwoNeBgx/ZIrDSqj1xKP2Dixri2AxAuTQvxLn249dAv6MRwBGWJDtqOo0606VdQ933lq7eoYy57wvLtHBQHqZnjboIUtBxQTLyHrGTc0UdUrWRTtU8geynX2ABRWYKrHsXixgqPcYiiJOyrMufQEWzXr4u6PQs5LiSVsM9b6n8Aq184LDJiybDhQXEYnO8VeCV8v8GaDOGV4HB9W/15Fpxd/ ca'] + node.normal['openssh']['revoked_keys'] = ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeNFbS05i75Na662aH5uzXvdWqWxLELs1kEy3L60EYJpZ9GzJ4ByR7Gk2EQE5Knvpm/ck3en6ef1nyJzniELrPwO1OwVqVfNGjiz+4cl9EjReuk+wKWhoHpM2clEpp52Kl0TSBKt+oDCsv0REc0uSyi7rWkQSuRqnZvoxx3M7UIWJhMpFYKM2Few8c90ckHG4SY1Qcj2E/zI5ueVDz/jRfogF10dgSC8J4H6OO9+4N42EASQDbWFx1CO5jqB+1dmf3/7KbvdZUsO9zF1D5Kphk+bLm4SnIQsOJE5cfnqSNIvP6UcW2gNxHD4inxGQvz5Gljk3yYZ7n6HwDHo7hukpP user'] + end.converge('openssh::default') + end + + it 'writes the ca_keys' do + template = chef_run.template('/etc/ssh/ca_keys') + expect(template).to be + expect(template.mode).to eq('0644') + expect(template.owner).to eq('root') + expect(template.group).to eq('root') + end + + it 'writes the revoked_keys' do + template = chef_run.template('/etc/ssh/revoked_keys') + expect(template).to be + expect(template.mode).to eq('0644') + expect(template.owner).to eq('root') + expect(template.group).to eq('root') + end + + it 'writes ca public key to ca_keys file' do + expect(chef_run).to render_file('/etc/ssh/ca_keys') + .with_content { |content| + expect(content).to include('ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJt7VN0YkI2jVnWUod8I/Qy9Am4lq0VOmFUTbzrMVTM8iut8E7heWu8G5QsDFLi3BNcU5wnwWO8rTWZZh1CJq6+zVn010rUYZhDxjlvFD4ZOUrN4RqsxSPBAaW2tgNXwoNeBgx/ZIrDSqj1xKP2Dixri2AxAuTQvxLn249dAv6MRwBGWJDtqOo0606VdQ933lq7eoYy57wvLtHBQHqZnjboIUtBxQTLyHrGTc0UdUrWRTtU8geynX2ABRWYKrHsXixgqPcYiiJOyrMufQEWzXr4u6PQs5LiSVsM9b6n8Aq184LDJiybDhQXEYnO8VeCV8v8GaDOGV4HB9W/15Fpxd/ ca') + } + end + + it 'writes user public key to revoked_keys file' do + expect(chef_run).to render_file('/etc/ssh/revoked_keys') + .with_content { |content| + expect(content).to include('ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeNFbS05i75Na662aH5uzXvdWqWxLELs1kEy3L60EYJpZ9GzJ4ByR7Gk2EQE5Knvpm/ck3en6ef1nyJzniELrPwO1OwVqVfNGjiz+4cl9EjReuk+wKWhoHpM2clEpp52Kl0TSBKt+oDCsv0REc0uSyi7rWkQSuRqnZvoxx3M7UIWJhMpFYKM2Few8c90ckHG4SY1Qcj2E/zI5ueVDz/jRfogF10dgSC8J4H6OO9+4N42EASQDbWFx1CO5jqB+1dmf3/7KbvdZUsO9zF1D5Kphk+bLm4SnIQsOJE5cfnqSNIvP6UcW2gNxHD4inxGQvz5Gljk3yYZ7n6HwDHo7hukpP user') + } + end + end + end + + context 'openssh::default on Debian 9' do + platform 'debian', '9' + + it 'installs the openssh packages' do + expect(chef_run).to install_package(%w(openssh-client openssh-server)) + end + + it 'starts the ssh service' do + expect(chef_run).to start_service('ssh') + expect(chef_run).to enable_service('ssh') + end + end + + context 'openssh::default on Debian 10' do + platform 'debian', '10' + + it 'installs the openssh packages' do + expect(chef_run).to install_package(%w(openssh-client openssh-server)) + end + + it 'starts the ssh service' do + expect(chef_run).to start_service('ssh') + expect(chef_run).to enable_service('ssh') + end + end + + context 'openssh::default on Ubuntu 18.04' do + platform 'ubuntu', '18.04' + + it 'installs the openssh packages' do + expect(chef_run).to install_package(%w(openssh-client openssh-server)) + end + + it 'starts the ssh service' do + expect(chef_run).to start_service('ssh') + expect(chef_run).to enable_service('ssh') + end + end + + context 'openssh::default on Ubuntu 20.04' do + platform 'ubuntu', '20.04' + + it 'installs the openssh packages' do + expect(chef_run).to install_package(%w(openssh-client openssh-server)) + end + + it 'starts the ssh service' do + expect(chef_run).to start_service('ssh') + expect(chef_run).to enable_service('ssh') + end + end + + context 'openssh::default on CentOS 7' do + platform 'centos', '7' + + it 'installs the openssh packages' do + expect(chef_run).to install_package(%w(openssh-clients openssh-server)) + end + + it 'starts the ssh service' do + expect(chef_run).to start_service('ssh') + expect(chef_run).to enable_service('ssh') + end + end + + context 'openssh::default on CentOS 8' do + platform 'centos', '8' + + it 'installs the openssh packages' do + expect(chef_run).to install_package(%w(openssh-clients openssh-server)) + end + + it 'starts the ssh service' do + expect(chef_run).to start_service('ssh') + expect(chef_run).to enable_service('ssh') + end + end + + context 'openssh::default on Fedora' do + platform 'fedora', '32' + + it 'installs the openssh packages' do + expect(chef_run).to install_package(%w(openssh-clients openssh-server)) + end + + it 'starts the ssh service' do + expect(chef_run).to start_service('ssh') + expect(chef_run).to enable_service('ssh') + end + end + + context 'openssh::default on openSUSE 15' do + platform 'opensuse', '15' + + it 'installs the openssh packages' do + expect(chef_run).to install_package(['openssh']) + end + + it 'starts the ssh service' do + expect(chef_run).to start_service('ssh') + expect(chef_run).to enable_service('ssh') + end + end + + # context 'openssh::default on openSUSE 15' do + # platform 'opensuse', '15' + + # it 'installs the openssh packages' do + # expect(chef_run).to install_package(['openssh']) + # end + + # it 'starts the ssh service' do + # expect(chef_run).to start_service('ssh') + # expect(chef_run).to enable_service('ssh') + # end + # end + + context 'openssh::default on macOS' do + cached(:chef_run) do + ChefSpec::SoloRunner.new(platform: 'mac_os_x', version: '10.15') do + stub_command('sudo systemsetup -getremotelogin | grep "On"').and_return(1) + end.converge('openssh::default') + end + + it 'does not install an openssh package' do + expect(chef_run).to_not install_package(['openssh']) + end + + it 'starts the ssh service' do + expect(chef_run).to start_service('ssh') + expect(chef_run).to enable_service('ssh') + end + end +end diff --git a/cookbooks/third-party/openssh-2.11.15/spec/unit/recipes/default_windows_spec.rb b/cookbooks/third-party/openssh-2.11.15/spec/unit/recipes/default_windows_spec.rb new file mode 100644 index 000000000..d61d37d8d --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/spec/unit/recipes/default_windows_spec.rb @@ -0,0 +1,136 @@ +require 'spec_helper' + +describe 'openssh::default' do + context 'Windows' do + platform 'windows', '2016' + + let(:ssh_config_path) { join_path('C:\\ProgramData\\ssh', 'ssh_config') } + let(:sshd_config_path) { join_path('C:\\ProgramData\\ssh', 'sshd_config') } + let(:ca_keys_path) { join_path('C:\\ProgramData\\ssh', 'ca_userkeys.pub') } + let(:revoked_keys_path) { join_path('C:\\ProgramData\\ssh', 'revoked_keys') } + + describe 'ssh_config' do + it 'writes the ssh_config' do + template = chef_run.template(ssh_config_path) + expect(template).to be + end + end + + describe 'sshd_config' do + it 'writes the sshd_config' do + template = chef_run.template(sshd_config_path) + expect(template).to be + end + + it 'does not use PAM option on Windows' do + expect(chef_run).to_not render_file(sshd_config_path).with_content(/UsePAM/) + end + + it 'allow legacy default AuthorizedKeysFile behavior' do + expect(chef_run).to_not render_file(sshd_config_path).with_content(/AuthorizedKeysFile.*/) + end + + it 'writes a match group block' do + chef_run.node.override['openssh']['server']['match'] = { 'Group admins' => { 'permit_tunnel' => 'yes' } } + chef_run.converge('openssh::default') + expect(chef_run).to render_file(sshd_config_path).with_content(/Match Group admins\n\s\sPermitTunnel yes/) + end + + it 'skips match group block' do + chef_run.node.override['openssh']['server']['match'] = {} + chef_run.converge('openssh::default') + expect(chef_run).to_not render_file(sshd_config_path).with_content(/Match Group admins\n\s\sPermitTunnel yes/) + end + + it 'write multiple SSH subsystems from Hash' do + chef_run.node.override['openssh']['server']['subsystem'] = { + sftp: '/usr/lib/openssh/sftp-server', + test: '/my/subsystem/bin', + } + chef_run.converge('openssh::default') + expect(chef_run).to render_file(sshd_config_path).with_content(%r{Subsystem sftp \/usr\/lib\/openssh\/sftp-server\nSubsystem test.*}) + end + + it 'skips subsystems block' do + chef_run.node.override['openssh']['server']['subsystem'] = {} + chef_run.converge('openssh::default') + expect(chef_run).to_not render_file(sshd_config_path).with_content(/^Subsystem?/) + end + + it 'supports legacy subsystem format' do + chef_run.node.override['openssh']['server']['subsystem'] = 'sftp /usr/lib/openssh/sftp-server' + chef_run.converge('openssh::default') + expect(chef_run).to render_file(sshd_config_path).with_content(%r{Subsystem sftp \/usr\/lib\/openssh\/sftp-server\n}) + end + + it 'allows subsystem from Array attribute' do + chef_run.node.override['openssh']['server']['subsystem'] = [ + 'sftp /usr/lib/openssh/sftp-server', + 'test /my/subsystem/bin', + ] + chef_run.converge('openssh::default') + expect(chef_run).to render_file(sshd_config_path).with_content(%r{Subsystem sftp \/usr\/lib\/openssh\/sftp-server\nSubsystem test.*}) + end + + context 'port set without listen address set' do + cached(:chef_run) do + ChefSpec::SoloRunner.new(platform: 'windows', version: '2016') do |node| + node.normal['openssh']['server']['port'] = 1234 + end.converge('openssh::default') + end + + it 'writes out port at the top of the config' do + expect(chef_run).to render_file(sshd_config_path) + .with_content(/# Do NOT modify this file by hand!\n\nPort 1234/) + end + end + + context 'supports multiple ports' do + cached(:chef_run) do + ChefSpec::SoloRunner.new(platform: 'windows', version: '2016') do |node| + node.normal['openssh']['server']['port'] = [1234, 1235] + end.converge('openssh::default') + end + + it 'writes both ports to sshd_config' do + expect(chef_run).to render_file(sshd_config_path) + .with_content(/Port 1234/) + .with_content(/Port 1235/) + end + end + + context 'supports ca keys and revoked keys' do + cached(:chef_run) do + ChefSpec::SoloRunner.new(platform: 'windows', version: '2016') do |node| + node.normal['openssh']['ca_keys'] = ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJt7VN0YkI2jVnWUod8I/Qy9Am4lq0VOmFUTbzrMVTM8iut8E7heWu8G5QsDFLi3BNcU5wnwWO8rTWZZh1CJq6+zVn010rUYZhDxjlvFD4ZOUrN4RqsxSPBAaW2tgNXwoNeBgx/ZIrDSqj1xKP2Dixri2AxAuTQvxLn249dAv6MRwBGWJDtqOo0606VdQ933lq7eoYy57wvLtHBQHqZnjboIUtBxQTLyHrGTc0UdUrWRTtU8geynX2ABRWYKrHsXixgqPcYiiJOyrMufQEWzXr4u6PQs5LiSVsM9b6n8Aq184LDJiybDhQXEYnO8VeCV8v8GaDOGV4HB9W/15Fpxd/ ca'] + node.normal['openssh']['revoked_keys'] = ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeNFbS05i75Na662aH5uzXvdWqWxLELs1kEy3L60EYJpZ9GzJ4ByR7Gk2EQE5Knvpm/ck3en6ef1nyJzniELrPwO1OwVqVfNGjiz+4cl9EjReuk+wKWhoHpM2clEpp52Kl0TSBKt+oDCsv0REc0uSyi7rWkQSuRqnZvoxx3M7UIWJhMpFYKM2Few8c90ckHG4SY1Qcj2E/zI5ueVDz/jRfogF10dgSC8J4H6OO9+4N42EASQDbWFx1CO5jqB+1dmf3/7KbvdZUsO9zF1D5Kphk+bLm4SnIQsOJE5cfnqSNIvP6UcW2gNxHD4inxGQvz5Gljk3yYZ7n6HwDHo7hukpP user'] + end.converge('openssh::default') + end + + it 'writes the ca_keys' do + template = chef_run.template(ca_keys_path) + expect(template).to be + end + + it 'writes the revoked_keys' do + template = chef_run.template(revoked_keys_path) + expect(template).to be + end + + it 'writes ca public key to ca_keys file' do + expect(chef_run).to render_file(ca_keys_path) + .with_content { |content| + expect(content).to include('ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJt7VN0YkI2jVnWUod8I/Qy9Am4lq0VOmFUTbzrMVTM8iut8E7heWu8G5QsDFLi3BNcU5wnwWO8rTWZZh1CJq6+zVn010rUYZhDxjlvFD4ZOUrN4RqsxSPBAaW2tgNXwoNeBgx/ZIrDSqj1xKP2Dixri2AxAuTQvxLn249dAv6MRwBGWJDtqOo0606VdQ933lq7eoYy57wvLtHBQHqZnjboIUtBxQTLyHrGTc0UdUrWRTtU8geynX2ABRWYKrHsXixgqPcYiiJOyrMufQEWzXr4u6PQs5LiSVsM9b6n8Aq184LDJiybDhQXEYnO8VeCV8v8GaDOGV4HB9W/15Fpxd/ ca') + } + end + + it 'writes user public key to revoked_keys file' do + expect(chef_run).to render_file(revoked_keys_path) + .with_content { |content| + expect(content).to include('ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeNFbS05i75Na662aH5uzXvdWqWxLELs1kEy3L60EYJpZ9GzJ4ByR7Gk2EQE5Knvpm/ck3en6ef1nyJzniELrPwO1OwVqVfNGjiz+4cl9EjReuk+wKWhoHpM2clEpp52Kl0TSBKt+oDCsv0REc0uSyi7rWkQSuRqnZvoxx3M7UIWJhMpFYKM2Few8c90ckHG4SY1Qcj2E/zI5ueVDz/jRfogF10dgSC8J4H6OO9+4N42EASQDbWFx1CO5jqB+1dmf3/7KbvdZUsO9zF1D5Kphk+bLm4SnIQsOJE5cfnqSNIvP6UcW2gNxHD4inxGQvz5Gljk3yYZ7n6HwDHo7hukpP user') + } + end + end + end + end +end diff --git a/cookbooks/third-party/openssh-2.11.15/spec/unit/recipes/iptables_spec.rb b/cookbooks/third-party/openssh-2.11.15/spec/unit/recipes/iptables_spec.rb new file mode 100644 index 000000000..9ea0ada52 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/spec/unit/recipes/iptables_spec.rb @@ -0,0 +1,47 @@ +require 'spec_helper' + +describe 'openssh::iptables' do + context 'default attribute, no port set' do + let(:chef_run) { ChefSpec::SoloRunner.new(platform: 'ubuntu', version: '20.04', step_into: ['iptables_rule']).converge(described_recipe) } + + it 'renders the iptables rule in a template' do + expect(chef_run).to create_template('/etc/iptables/rules.v4') + end + + it 'contains the default port (22) for sshd' do + expect(chef_run).to render_file('/etc/iptables/rules.v4') + .with_content('-A INPUT -p tcp -m tcp -j ACCEPT --dport 22') + .with_content('-A OUTPUT -p tcp -m tcp -j ACCEPT --sport 22') + end + end + + context 'non-default port set' do + let(:chef_run) do + ChefSpec::SoloRunner.new(step_into: ['iptables_rule']) do |node| + node.normal['openssh']['server']['port'] = '4242' + end.converge(described_recipe) + end + + it 'contains the non-default port from the attribute' do + expect(chef_run).to render_file('/etc/iptables/rules.v4') + .with_content('-A INPUT -p tcp -m tcp -j ACCEPT --dport 4242') + .with_content('-A OUTPUT -p tcp -m tcp -j ACCEPT --sport 4242') + end + end + + context 'supports multiple ports' do + let(:chef_run) do + ChefSpec::SoloRunner.new(platform: 'ubuntu', version: '20.04', step_into: ['iptables_rule']) do |node| + node.normal['openssh']['server']['port'] = [1234, 1235] + end.converge(described_recipe) + end + + it 'contains both ports from' do + expect(chef_run).to render_file('/etc/iptables/rules.v4') + .with_content('-A INPUT -p tcp -m tcp -j ACCEPT --dport 1234') + .with_content('-A OUTPUT -p tcp -m tcp -j ACCEPT --sport 1234') + .with_content('-A INPUT -p tcp -m tcp -j ACCEPT --dport 1235') + .with_content('-A OUTPUT -p tcp -m tcp -j ACCEPT --sport 1235') + end + end +end diff --git a/cookbooks/third-party/openssh-2.11.15/templates/ca_keys.erb b/cookbooks/third-party/openssh-2.11.15/templates/ca_keys.erb new file mode 100644 index 000000000..ba8420a1f --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/templates/ca_keys.erb @@ -0,0 +1,7 @@ +# This file was generated by Chef +# Do NOT modify this file by hand! + +# One CA public key per line +<% node['openssh']['ca_keys'].each do |key| -%> +<%=key %> +<% end -%> diff --git a/cookbooks/third-party/openssh-2.11.15/templates/port_ssh.erb b/cookbooks/third-party/openssh-2.11.15/templates/port_ssh.erb new file mode 100644 index 000000000..5c87db079 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/templates/port_ssh.erb @@ -0,0 +1,8 @@ +# SSH +<% if @port.kind_of? Array -%> +<% @port.each do |item| -%> +-A FWR -p tcp -m tcp --dport <%= item %> -j ACCEPT +<% end -%> +<% else -%> +-A FWR -p tcp -m tcp --dport <%= @port %> -j ACCEPT +<% end -%> diff --git a/cookbooks/third-party/openssh-2.11.15/templates/revoked_keys.erb b/cookbooks/third-party/openssh-2.11.15/templates/revoked_keys.erb new file mode 100644 index 000000000..07c5f1e66 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/templates/revoked_keys.erb @@ -0,0 +1,7 @@ +# This file was generated by Chef +# Do NOT modify this file by hand! + +# One certificate/public key per line +<% node['openssh']['revoked_keys'].each do |key| -%> +<%=key %> +<% end -%> diff --git a/cookbooks/third-party/openssh-2.11.15/templates/ssh_config.erb b/cookbooks/third-party/openssh-2.11.15/templates/ssh_config.erb new file mode 100644 index 000000000..e2ef6d159 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/templates/ssh_config.erb @@ -0,0 +1,23 @@ +# This file was generated by Chef +# Do NOT modify this file by hand! + +<% node['openssh']['client'].each do |key, value| -%> +<% if value.kind_of? Array -%> +<% value.each do |item| -%> +<%= "#{key.split("_").map { |w| w.capitalize}.join} #{item}" %> +<% end -%> +<% elsif value.kind_of? Hash -%> +<%= "Host #{key}"%> +<% value.each do |host_key, host_value| -%> +<% if host_value.kind_of? Array -%> +<% host_value.each do |item| -%> +<%= " #{host_key.split("_").map { |w| w.capitalize}.join} #{item}" %> +<% end -%> +<% else -%> +<%= " #{host_key.split("_").map { |w| w.capitalize}.join} #{host_value}" %> +<% end -%> +<% end -%> +<% else -%> +<%= "#{key.split("_").map { |w| w.capitalize}.join} #{value}"%> +<% end -%> +<% end -%> diff --git a/cookbooks/third-party/openssh-2.11.15/templates/sshd_config.erb b/cookbooks/third-party/openssh-2.11.15/templates/sshd_config.erb new file mode 100644 index 000000000..43e6a101e --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/templates/sshd_config.erb @@ -0,0 +1,42 @@ +# This file was generated by Chef +# Do NOT modify this file by hand! + +<% @options.map do |key, value| -%> +<% if value.kind_of? Array -%> +<% value.each do |item| -%> +<%= "#{key.split("_").map { |w| w.capitalize}.join} #{item}" %> +<% end -%> +<% else -%> +<%= "#{key.split("_").map { |w| w.capitalize}.join} #{value}"%> +<% end -%> +<% end -%> + +<% if defined?(node['openssh']['server']['subsystem']) -%> +<% if node['openssh']['server']['subsystem'].is_a?(Hash) -%> +<% node['openssh']['server']['subsystem'].map do |subsystem_name, subsystem_value| -%> +Subsystem <%= subsystem_name %> <%= subsystem_value %> +<% end -%> +<% elsif node['openssh']['server']['subsystem'].is_a?(Array) -%> +<% node['openssh']['server']['subsystem'].each do |subsystem| -%> +Subsystem <%= subsystem %> +<% end -%> +<% elsif node['openssh']['server']['subsystem'].is_a?(String) -%> +Subsystem <%= node['openssh']['server']['subsystem'] %> +<% end -%> +<% end -%> + +<% unless node['openssh']['server']['match'].empty? || !defined?(node['openssh']['server']['match']) -%> +<% node['openssh']['server']['match'].sort.map do |match_key, match_items| -%> +Match <%= match_key.sub(/^[0-9]+/, '').strip %> +<% match_items.sort.map do |key, value| -%> +<% if value.kind_of? Array -%> +<% value.each do |item| -%> +<%= " #{key.split("_").map { |w| w.capitalize}.join} #{item}" %> +<% end -%> +<% else -%> +<%= " #{key.split("_").map { |w| w.capitalize}.join} #{value}"%> +<% end -%> +<% end -%> +<% end -%> +Match all +<% end -%> diff --git a/cookbooks/third-party/openssh-2.11.15/test/integration/default/default_spec.rb b/cookbooks/third-party/openssh-2.11.15/test/integration/default/default_spec.rb new file mode 100644 index 000000000..5634ab993 --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/test/integration/default/default_spec.rb @@ -0,0 +1,26 @@ +service_name = if os.debian? || os.darwin? + 'ssh' + else + 'sshd' + end + +describe service(service_name) do + it { should be_enabled } + it { should be_running } +end + +describe port(22) do + it { should be_listening } +end + +describe ssh_config do + its('UseRoaming') { should eq 'no' } +end + +# Attempt to ssh to localhost +describe command('ssh -oStrictHostKeyChecking=no -v localhost') do + # No way of actually sshing in without a keypair or password + # but being prompted for an authentication method should be sufficient to + # test that SSH is working as expected, for the most part + its('stderr') { should match 'Next authentication method' } +end diff --git a/cookbooks/third-party/openssh-2.11.15/test/integration/iptables/default_spec.rb b/cookbooks/third-party/openssh-2.11.15/test/integration/iptables/default_spec.rb new file mode 100644 index 000000000..286d858da --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/test/integration/iptables/default_spec.rb @@ -0,0 +1,20 @@ +service_name = case os[:family] + when 'ubuntu', 'debian' + 'ssh' + else + 'sshd' + end + +describe service(service_name) do + it { should be_enabled } + it { should be_running } +end + +describe port(22) do + it { should be_listening } +end + +describe iptables do + it { should have_rule('-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT') } + it { should have_rule('-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT') } +end diff --git a/cookbooks/third-party/openssh-2.11.15/test/integration/windows-default/default_spec.rb b/cookbooks/third-party/openssh-2.11.15/test/integration/windows-default/default_spec.rb new file mode 100644 index 000000000..cc55af07a --- /dev/null +++ b/cookbooks/third-party/openssh-2.11.15/test/integration/windows-default/default_spec.rb @@ -0,0 +1,37 @@ +service_name = 'sshd' + +describe service(service_name) do + it { should be_enabled } + it { should be_running } +end + +describe port(22) do + it { should be_listening } +end + +describe ssh_config do + its('UseRoaming') { should eq 'no' } +end + +# Attempt to ssh to localhost +script_stderr = <<-EOF + Start-Process ssh "-oStrictHostKeyChecking=no -oPasswordAuthentication=no -v localhost" -NoNewWindow -Wait -RedirectStandardOutput stdOut.log -RedirectStandardError stdErr.log; gc stdErr.log; rm *.log +EOF + +describe powershell(script_stderr) do + # No way of actually sshing in without a keypair or password + # but being prompted for an authentication method should be sufficient to + # test that SSH is working as expected, for the most part + its('stdout') { should match /Next authentication method/ } +end + +script_stdout = <<-EOF + Start-Process ssh "-oStrictHostKeyChecking=no -oPasswordAuthentication=no -v localhost" -NoNewWindow -Wait -RedirectStandardOutput stdOut.log -RedirectStandardError stdErr.log; gc stdOut.log; rm *.log +EOF + +describe powershell(script_stdout) do + # No way of actually sshing in without a keypair or password + # but being prompted for an authentication method should be sufficient to + # test that SSH is working as expected, for the most part + its('stdout') { should eq '' } +end diff --git a/metadata.rb b/metadata.rb index 63eb4c8f7..ba33bf8ff 100644 --- a/metadata.rb +++ b/metadata.rb @@ -13,7 +13,7 @@ depends 'iptables', '~> 8.0.0' depends 'line', '~> 4.5.13' depends 'nfs', '~> 5.1.2' -depends 'openssh', '~> 2.11.12' +depends 'openssh', '~> 2.11.15' depends 'pyenv', '~> 4.2.3' depends 'yum', '~> 7.4.13' depends 'yum-epel', '~> 5.0.2'