Skip to content

Commit

Permalink
Add support for extra configuration options & improve readability wit…
Browse files Browse the repository at this point in the history 
…h block syntax
  • Loading branch information
@bdwyertech
bdwyertech committed Mar 31, 2017
1 parent d4dc236 commit 71e661c
Show file tree
Hide file tree
Showing 3 changed files with 73 additions and 49 deletions.
108 changes: 59 additions & 49 deletions attributes/default.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,55 +52,65 @@
default['ssh-hardening']['ssh']['ports'] = [22]

# ssh client
default['ssh-hardening']['ssh']['client']['mac'] = nil # nil = calculate best combination for client
default['ssh-hardening']['ssh']['client']['kex'] = nil # nil = calculate best combination for client
default['ssh-hardening']['ssh']['client']['cipher'] = nil # nil = calculate best combination for client
default['ssh-hardening']['ssh']['client']['cbc_required'] = false
default['ssh-hardening']['ssh']['client']['weak_hmac'] = false
default['ssh-hardening']['ssh']['client']['weak_kex'] = false
default['ssh-hardening']['ssh']['client']['remote_hosts'] = []
default['ssh-hardening']['ssh']['client']['password_authentication'] = false # ssh
# http://undeadly.org/cgi?action=article&sid=20160114142733
default['ssh-hardening']['ssh']['client']['roaming'] = false
default['ssh-hardening']['ssh']['client']['send_env'] = ['LANG', 'LC_*', 'LANGUAGE']
default['ssh-hardening']['ssh']['client'].tap do |client|
client['mac'] = nil # nil = calculate best combination for client
client['kex'] = nil # nil = calculate best combination for client
client['cipher'] = nil # nil = calculate best combination for client
client['cbc_required'] = false
client['weak_hmac'] = false
client['weak_kex'] = false
client['remote_hosts'] = []
client['password_authentication'] = false # ssh
# http://undeadly.org/cgi?action=article&sid=20160114142733
client['roaming'] = false
client['send_env'] = ['LANG', 'LC_*', 'LANGUAGE']

# extra client configuration options
client['extras'].tap = {}
end

# sshd
default['ssh-hardening']['ssh']['server']['kex'] = nil # nil = calculate best combination for server version
default['ssh-hardening']['ssh']['server']['cipher'] = nil # nil = calculate best combination for server version
default['ssh-hardening']['ssh']['server']['mac'] = nil # nil = calculate best combination for server version
default['ssh-hardening']['ssh']['server']['cbc_required'] = false
default['ssh-hardening']['ssh']['server']['weak_hmac'] = false
default['ssh-hardening']['ssh']['server']['weak_kex'] = false
default['ssh-hardening']['ssh']['server']['dh_min_prime_size'] = 2048
default['ssh-hardening']['ssh']['server']['dh_build_primes'] = false
default['ssh-hardening']['ssh']['server']['dh_build_primes_size'] = 4096
default['ssh-hardening']['ssh']['server']['host_key_files'] = nil
default['ssh-hardening']['ssh']['server']['client_alive_interval'] = 600 # 10min
default['ssh-hardening']['ssh']['server']['client_alive_count'] = 3 # ~> 3 x interval
default['ssh-hardening']['ssh']['server']['allow_root_with_key'] = false
default['ssh-hardening']['ssh']['server']['allow_tcp_forwarding'] = false
default['ssh-hardening']['ssh']['server']['allow_agent_forwarding'] = false
default['ssh-hardening']['ssh']['server']['allow_x11_forwarding'] = false
default['ssh-hardening']['ssh']['server']['use_pam'] = true
default['ssh-hardening']['ssh']['server']['challenge_response_authentication'] = false
default['ssh-hardening']['ssh']['server']['deny_users'] = []
default['ssh-hardening']['ssh']['server']['allow_users'] = []
default['ssh-hardening']['ssh']['server']['deny_groups'] = []
default['ssh-hardening']['ssh']['server']['allow_groups'] = []
default['ssh-hardening']['ssh']['server']['print_motd'] = false
default['ssh-hardening']['ssh']['server']['print_last_log'] = false
default['ssh-hardening']['ssh']['server']['banner'] = nil # set this to nil to disable banner or provide a path like '/etc/issue.net'
default['ssh-hardening']['ssh']['server']['os_banner'] = false # (Debian OS family)
default['ssh-hardening']['ssh']['server']['use_dns'] = nil # set this to nil to let us use the default OpenSSH in case it's not set by the user
default['ssh-hardening']['ssh']['server']['use_privilege_separation'] = nil # set this to nil to let us detect the attribute based on the node platform
default['ssh-hardening']['ssh']['server']['login_grace_time'] = '30s'
default['ssh-hardening']['ssh']['server']['max_auth_tries'] = 2
default['ssh-hardening']['ssh']['server']['max_sessions'] = 10
default['ssh-hardening']['ssh']['server']['password_authentication'] = false
default['ssh-hardening']['ssh']['server']['log_level'] = 'verbose'
default['ssh-hardening']['ssh']['server']['accept_env'] = ['LANG', 'LC_*', 'LANGUAGE']
default['ssh-hardening']['ssh']['server'].tap do |server| # rubocop: disable BlockLength
server['kex'] = nil # nil = calculate best combination for server version
server['cipher'] = nil # nil = calculate best combination for server version
server['mac'] = nil # nil = calculate best combination for server version
server['cbc_required'] = false
server['weak_hmac'] = false
server['weak_kex'] = false
server['dh_min_prime_size'] = 2048
server['dh_build_primes'] = false
server['dh_build_primes_size'] = 4096
server['host_key_files'] = nil
server['client_alive_interval'] = 600 # 10min
server['client_alive_count'] = 3 # ~> 3 x interval
server['allow_root_with_key'] = false
server['allow_tcp_forwarding'] = false
server['allow_agent_forwarding'] = false
server['allow_x11_forwarding'] = false
server['use_pam'] = true
server['challenge_response_authentication'] = false
server['deny_users'] = []
server['allow_users'] = []
server['deny_groups'] = []
server['allow_groups'] = []
server['print_motd'] = false
server['print_last_log'] = false
server['banner'] = nil # set this to nil to disable banner or provide a path like '/etc/issue.net'
server['os_banner'] = false # (Debian OS family)
server['use_dns'] = nil # set this to nil to let us use the default OpenSSH in case it's not set by the user
server['use_privilege_separation'] = nil # set this to nil to let us detect the attribute based on the node platform
server['login_grace_time'] = '30s'
server['max_auth_tries'] = 2
server['max_sessions'] = 10
server['password_authentication'] = false
server['log_level'] = 'verbose'
server['accept_env'] = ['LANG', 'LC_*', 'LANGUAGE']

# sshd sftp options
default['ssh-hardening']['ssh']['server']['sftp']['enable'] = false
default['ssh-hardening']['ssh']['server']['sftp']['group'] = 'sftponly'
default['ssh-hardening']['ssh']['server']['sftp']['chroot'] = '/home/%u'
# extra server configuration options
server['extras'] = {}

# sshd sftp options
server['sftp']['enable'] = false
server['sftp']['group'] = 'sftponly'
server['sftp']['chroot'] = '/home/%u'
end
7 changes: 7 additions & 0 deletions templates/default/openssh.conf.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,3 +117,10 @@ UseRoaming <%= @node['ssh-hardening']['ssh']['client']['roaming'] ? 'yes' : 'no'
# Send locale environment variables
SendEnv <%= @node['ssh-hardening']['ssh']['client']['send_env'].join(' ') %>
<% end %>

<%- unless Array(@node['ssh-hardening']['ssh']['client']['extras']).empty? %>
# Extra Configuration Options
<%- Array(@node['ssh-hardening']['ssh']['client']['extras']).each do |key, value| %>
<%= key %> <%= value %>
<% end -%>
<% end -%>
7 changes: 7 additions & 0 deletions templates/default/opensshd.conf.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,3 +229,10 @@ X11Forwarding no
#PermitRootLogin no
#X11Forwarding no
<% end %>

<%- unless Array(@node['ssh-hardening']['ssh']['server']['extras']).empty? %>
# Extra Configuration Options
<%- Array(@node['ssh-hardening']['ssh']['server']['extras']).each do |key, value| %>
<%= key %> <%= value %>
<% end -%>
<% end -%>

0 comments on commit 71e661c

Please sign in to comment.