Why not wrap openssh cookbook #89
Comments
|
I was going to suggest the same thing after I made a proof of concept, I have actually had to override the current template to change some options that are hard-coded in the existing template. I like the way the opscode cookbook handles the config files and it should give us all the flexibility to set our hardening options. |
|
@itwasntandy and @Rockstar04 Thanks for bringing up this question. As you may have recognized, the ssh module is the only chef module that is not implemented as an overlay module. Back when we started this, we took an in-depth look into the openssh cookbook, but finally decided to go with a standalone implementation. Some reasons are:
We are currently reconsidering the base cookbook for ssh-hardening, i.e. make this into an overlay module like the rest. We will have another look at the openssh cookbook and others; Let's see if pull-requests get us to where we need it to be. If all fails, we will split out a proper template for ssh. |
|
I agree that our ssh and sshd templates are not as flexible as they should be ;-) |
|
We have talked to Chef and will try to update the chef ssh cookbook. If all goes well, we can use it as the new base cookbook and use the same overlay style we have in place for e.g. mysql. |
|
I had a look to the README of the current state of openssh cookbook. It looks like you can set all options of ssh client/server, so it looks feasible to give it a try. @arlimus @chris-rock @atomic111 opinions? |
|
@artem-sidorenko Sounds like a good plan. Should we plan this for version 3? |
|
Hi, I have been thinking this for a while and thought I'd open an issue but see one has already been open for a while. Currently I have both openssh and this cookbook managing config which isn't great. Are you open to accepting a PR these days to wrap openssh where possible? I think it would be helpful for many who are already using it and want the hardening without any additional hassle. Stephen |
|
@shoekstra definitely! This would be a great contribution! |
|
You should consider releasing sample roles/policies as opposed to a wrapper cookbook. Just my 2 cents |
|
@bobchaos can you elaborate a bit? The idea isn't completely clear for me |
Hi,
I like what you're trying to do here, but I've a couple of questions with regard to the approach.
As it stands this cookbook is incompatible with the openssh-cookbook as it tries to change the same files.
( https://github.com/opscode-cookbooks/openssh )
It would seem sensible to me for this to be a wrapper around openssh-cookbook which sets sensible, secure defaults
Did you consider this as an option? If so why did you not go this way?
Edit to add: I'd be happy to file a PR with this re-worked as a wrapper, if you're open to the idea.
thanks
Andrew
The text was updated successfully, but these errors were encountered: