Grid環境構築用のChefリポジトリです。
Revision | bb4ec6abb8940d0687b6ba3d842d5a687c908dea (tree) |
---|---|
Zeit | 2016-01-20 21:53:52 |
Autor | whitestar <whitestar@gaea...> |
Commiter | whitestar |
add ssh_utils cookbook.
@@ -0,0 +1,7 @@ | ||
1 | +ssh_utils CHANGELOG | |
2 | +=================== | |
3 | + | |
4 | +0.1.0 | |
5 | +----- | |
6 | +- Initial release of ssh_utils | |
7 | + |
@@ -0,0 +1,56 @@ | ||
1 | +ssh_utils Cookbook | |
2 | +================== | |
3 | + | |
4 | +This cookbook sets up OpenSSH Server. | |
5 | + | |
6 | +Requirements | |
7 | +------------ | |
8 | + | |
9 | +#### packages | |
10 | +- none. | |
11 | + | |
12 | +#### cookbooks | |
13 | +- `ssl_cert` - to deploy SSH-CA public key. | |
14 | + | |
15 | +Attributes | |
16 | +---------- | |
17 | + | |
18 | +#### ssh_utils::default | |
19 | + | |
20 | +|Key|Type|Description, example|Default| | |
21 | +|:--|:--|:--|:--| | |
22 | +|`['ssh_utils']['with_ssl_cert_cookbook']`|Boolean|works with `ssl_cert` cookbook.|`false`| | |
23 | +|`['ssh_utils']['ssl_cert']['ca_pubkey_name']`|String|deployed SSH-CA public key name.|`nil`| | |
24 | +|`['ssh_utils']['sshd_config']['extra_props']['<property_name>']`|String of Array|properties for sshd_config.|empty| | |
25 | + | |
26 | +Usage | |
27 | +----- | |
28 | +#### ssh_utils::default | |
29 | +- do nothing. | |
30 | + | |
31 | +#### ssh_utils::server | |
32 | +- set up OpenSSH server. | |
33 | +- If `node['ssh_utils']['with_ssl_cert_cookbook']` is true, | |
34 | +`node['ssh_utils']['sshd_config']['extra_props']['TrustedUserCAKeys']` is overridden | |
35 | + by the file path based on `node['ssh_utils']['ssl_cert']['ca_pubkey_name']` attributes. | |
36 | + | |
37 | +License and Authors | |
38 | +------------------- | |
39 | +- Author:: whitestar at osdn.jp | |
40 | + | |
41 | +```text | |
42 | +Copyright 2016, whitestar | |
43 | + | |
44 | +Licensed under the Apache License, Version 2.0 (the "License"); | |
45 | +you may not use this file except in compliance with the License. | |
46 | +You may obtain a copy of the License at | |
47 | + | |
48 | + http://www.apache.org/licenses/LICENSE-2.0 | |
49 | + | |
50 | +Unless required by applicable law or agreed to in writing, software | |
51 | +distributed under the License is distributed on an "AS IS" BASIS, | |
52 | +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
53 | +See the License for the specific language governing permissions and | |
54 | +limitations under the License. | |
55 | +``` | |
56 | + |
@@ -0,0 +1,34 @@ | ||
1 | +# | |
2 | +# Cookbook Name:: ssh_utils | |
3 | +# Attributes:: default | |
4 | +# | |
5 | +# Copyright 2016, whitestar | |
6 | +# | |
7 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
8 | +# you may not use this file except in compliance with the License. | |
9 | +# You may obtain a copy of the License at | |
10 | +# | |
11 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
12 | +# | |
13 | +# Unless required by applicable law or agreed to in writing, software | |
14 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
15 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
16 | +# See the License for the specific language governing permissions and | |
17 | +# limitations under the License. | |
18 | +# | |
19 | + | |
20 | +default['ssh_utils']['with_ssl_cert_cookbook'] = false | |
21 | +# If node['ssh_utils']['with_ssl_cert_cookbook'] is true, | |
22 | +# node['ssh_utils']['sshd_config']['extra_props']['TrustedUserCAKeys'] | |
23 | +# is overridden by the following 'ca_pubkey_name' attributes. | |
24 | +default['ssh_utils']['ssl_cert']['ca_pubkey_name'] = nil | |
25 | + | |
26 | +# server | |
27 | +default['ssh_utils']['sshd_config'] = { | |
28 | + 'extra_props' => { | |
29 | + # e.g. | |
30 | + #'Banner' => '/etc/issue.net', | |
31 | + #'TrustedUserCAKeys' => '/path/to/ca_public_keys.pub', | |
32 | + }, | |
33 | +} | |
34 | + |
@@ -0,0 +1,10 @@ | ||
1 | +name 'ssh_utils' | |
2 | +maintainer 'whitestar' | |
3 | +maintainer_email '' | |
4 | +license 'Apache 2.0' | |
5 | +description 'Installs/Configures ssh_utils' | |
6 | +long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) | |
7 | +version '0.1.0' | |
8 | + | |
9 | +depends 'ssl_cert', '>= 0.2.0' | |
10 | + |
@@ -0,0 +1,18 @@ | ||
1 | +# | |
2 | +# Cookbook Name:: ssh_utils | |
3 | +# Recipe:: default | |
4 | +# | |
5 | +# Copyright 2016, whitestar | |
6 | +# | |
7 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
8 | +# you may not use this file except in compliance with the License. | |
9 | +# You may obtain a copy of the License at | |
10 | +# | |
11 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
12 | +# | |
13 | +# Unless required by applicable law or agreed to in writing, software | |
14 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
15 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
16 | +# See the License for the specific language governing permissions and | |
17 | +# limitations under the License. | |
18 | +# |
@@ -0,0 +1,57 @@ | ||
1 | +# | |
2 | +# Cookbook Name:: ssh_utils | |
3 | +# Recipe:: server | |
4 | +# | |
5 | +# Copyright 2016, whitestar | |
6 | +# | |
7 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
8 | +# you may not use this file except in compliance with the License. | |
9 | +# You may obtain a copy of the License at | |
10 | +# | |
11 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
12 | +# | |
13 | +# Unless required by applicable law or agreed to in writing, software | |
14 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
15 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
16 | +# See the License for the specific language governing permissions and | |
17 | +# limitations under the License. | |
18 | +# | |
19 | + | |
20 | +if node['ssh_utils']['with_ssl_cert_cookbook'] \ | |
21 | + && !node['ssh_utils']['ssl_cert']['ca_pubkey_name'].nil? then | |
22 | + node.override['ssh_utils']['sshd_config']['extra_props']['TrustedUserCAKeys'] \ | |
23 | + = node['ssl_cert']["#{node['ssh_utils']['ssl_cert']['ca_pubkey_name']}_pubkey_path"] | |
24 | +end | |
25 | + | |
26 | +[ | |
27 | + 'openssh-server', | |
28 | +].each {|pkg| | |
29 | + resources(:package => pkg) rescue package pkg do | |
30 | + action :install | |
31 | + end | |
32 | +} | |
33 | + | |
34 | +srv = 'sshd' | |
35 | +conf_mode = '0600' | |
36 | + | |
37 | +case node[:platform_family] | |
38 | + when 'debian' | |
39 | + srv = 'ssh' | |
40 | + conf_mode = '0644' | |
41 | + when 'rhel' | |
42 | + srv = 'sshd' | |
43 | + conf_mode = '0600' | |
44 | +end | |
45 | + | |
46 | +resources(:service => srv) rescue service srv do | |
47 | + action [:enable, :start] | |
48 | +end | |
49 | + | |
50 | +template "/etc/ssh/sshd_config" do | |
51 | + source "etc/ssh/sshd_config" | |
52 | + owner 'root' | |
53 | + group 'root' | |
54 | + mode conf_mode | |
55 | + notifies :restart, "service[#{srv}]" | |
56 | +end | |
57 | + |
@@ -0,0 +1,20 @@ | ||
1 | +require_relative '../spec_helper' | |
2 | + | |
3 | +describe 'ssh_utils::default' do | |
4 | + subject { ChefSpec::Runner.new.converge(described_recipe) } | |
5 | + | |
6 | + # Write quick specs using `it` blocks with implied subjects | |
7 | + it { should do_something('...') } | |
8 | + | |
9 | + # Write full examples using the `expect` syntax | |
10 | + it 'does something' do | |
11 | + expect(subject).to do_something('...') | |
12 | + end | |
13 | + | |
14 | + # Use an explicit subject | |
15 | + let(:chef_run) { ChefSpec::Runner.new.converge(described_recipe) } | |
16 | + | |
17 | + it 'does something' do | |
18 | + expect(chef_run).to do_something('...') | |
19 | + end | |
20 | +end |
@@ -0,0 +1,25 @@ | ||
1 | +# Added by ChefSpec | |
2 | +require 'chefspec' | |
3 | + | |
4 | +# Uncomment to use ChefSpec's Berkshelf extension | |
5 | +# require 'chefspec/berkshelf' | |
6 | + | |
7 | +RSpec.configure do |config| | |
8 | + # Specify the path for Chef Solo to find cookbooks | |
9 | + # config.cookbook_path = '/var/cookbooks' | |
10 | + | |
11 | + # Specify the path for Chef Solo to find roles | |
12 | + # config.role_path = '/var/roles' | |
13 | + | |
14 | + # Specify the Chef log_level (default: :warn) | |
15 | + # config.log_level = :debug | |
16 | + | |
17 | + # Specify the path to a local JSON file with Ohai data | |
18 | + # config.path = 'ohai.json' | |
19 | + | |
20 | + # Specify the operating platform to mock Ohai data from | |
21 | + # config.platform = 'ubuntu' | |
22 | + | |
23 | + # Specify the operating version to mock Ohai data from | |
24 | + # config.version = '12.04' | |
25 | +end |
@@ -0,0 +1,154 @@ | ||
1 | +# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ | |
2 | + | |
3 | +# This is the sshd server system-wide configuration file. See | |
4 | +# sshd_config(5) for more information. | |
5 | + | |
6 | +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin | |
7 | + | |
8 | +# The strategy used for options in the default sshd_config shipped with | |
9 | +# OpenSSH is to specify options with their default value where | |
10 | +# possible, but leave them commented. Uncommented options change a | |
11 | +# default value. | |
12 | + | |
13 | +#Port 22 | |
14 | +#AddressFamily any | |
15 | +#ListenAddress 0.0.0.0 | |
16 | +#ListenAddress :: | |
17 | + | |
18 | +# Disable legacy (protocol version 1) support in the server for new | |
19 | +# installations. In future the default will change to require explicit | |
20 | +# activation of protocol 1 | |
21 | +Protocol 2 | |
22 | + | |
23 | +# HostKey for protocol version 1 | |
24 | +#HostKey /etc/ssh/ssh_host_key | |
25 | +# HostKeys for protocol version 2 | |
26 | +#HostKey /etc/ssh/ssh_host_rsa_key | |
27 | +#HostKey /etc/ssh/ssh_host_dsa_key | |
28 | + | |
29 | +# Lifetime and size of ephemeral version 1 server key | |
30 | +#KeyRegenerationInterval 1h | |
31 | +#ServerKeyBits 1024 | |
32 | + | |
33 | +# Logging | |
34 | +# obsoletes QuietMode and FascistLogging | |
35 | +#SyslogFacility AUTH | |
36 | +SyslogFacility AUTHPRIV | |
37 | +#LogLevel INFO | |
38 | + | |
39 | +# Authentication: | |
40 | + | |
41 | +#LoginGraceTime 2m | |
42 | +#PermitRootLogin yes | |
43 | +#StrictModes yes | |
44 | +#MaxAuthTries 6 | |
45 | +#MaxSessions 10 | |
46 | + | |
47 | +#RSAAuthentication yes | |
48 | +#PubkeyAuthentication yes | |
49 | +#AuthorizedKeysFile .ssh/authorized_keys | |
50 | +#AuthorizedKeysCommand none | |
51 | +#AuthorizedKeysCommandRunAs nobody | |
52 | + | |
53 | +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | |
54 | +#RhostsRSAAuthentication no | |
55 | +# similar for protocol version 2 | |
56 | +#HostbasedAuthentication no | |
57 | +# Change to yes if you don't trust ~/.ssh/known_hosts for | |
58 | +# RhostsRSAAuthentication and HostbasedAuthentication | |
59 | +#IgnoreUserKnownHosts no | |
60 | +# Don't read the user's ~/.rhosts and ~/.shosts files | |
61 | +#IgnoreRhosts yes | |
62 | + | |
63 | +# To disable tunneled clear text passwords, change to no here! | |
64 | +#PasswordAuthentication yes | |
65 | +#PermitEmptyPasswords no | |
66 | +PasswordAuthentication yes | |
67 | + | |
68 | +# Change to no to disable s/key passwords | |
69 | +#ChallengeResponseAuthentication yes | |
70 | +ChallengeResponseAuthentication no | |
71 | + | |
72 | +# Kerberos options | |
73 | +#KerberosAuthentication no | |
74 | +#KerberosOrLocalPasswd yes | |
75 | +#KerberosTicketCleanup yes | |
76 | +#KerberosGetAFSToken no | |
77 | +#KerberosUseKuserok yes | |
78 | + | |
79 | +# GSSAPI options | |
80 | +#GSSAPIAuthentication no | |
81 | +GSSAPIAuthentication yes | |
82 | +#GSSAPICleanupCredentials yes | |
83 | +GSSAPICleanupCredentials yes | |
84 | +#GSSAPIStrictAcceptorCheck yes | |
85 | +#GSSAPIKeyExchange no | |
86 | + | |
87 | +# Set this to 'yes' to enable PAM authentication, account processing, | |
88 | +# and session processing. If this is enabled, PAM authentication will | |
89 | +# be allowed through the ChallengeResponseAuthentication and | |
90 | +# PasswordAuthentication. Depending on your PAM configuration, | |
91 | +# PAM authentication via ChallengeResponseAuthentication may bypass | |
92 | +# the setting of "PermitRootLogin without-password". | |
93 | +# If you just want the PAM account and session checks to run without | |
94 | +# PAM authentication, then enable this but set PasswordAuthentication | |
95 | +# and ChallengeResponseAuthentication to 'no'. | |
96 | +#UsePAM no | |
97 | +UsePAM yes | |
98 | + | |
99 | +# Accept locale-related environment variables | |
100 | +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | |
101 | +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | |
102 | +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE | |
103 | +AcceptEnv XMODIFIERS | |
104 | + | |
105 | +#AllowAgentForwarding yes | |
106 | +#AllowTcpForwarding yes | |
107 | +#GatewayPorts no | |
108 | +#X11Forwarding no | |
109 | +X11Forwarding yes | |
110 | +#X11DisplayOffset 10 | |
111 | +#X11UseLocalhost yes | |
112 | +#PrintMotd yes | |
113 | +#PrintLastLog yes | |
114 | +#TCPKeepAlive yes | |
115 | +#UseLogin no | |
116 | +#UsePrivilegeSeparation yes | |
117 | +#PermitUserEnvironment no | |
118 | +#Compression delayed | |
119 | +#ClientAliveInterval 0 | |
120 | +#ClientAliveCountMax 3 | |
121 | +#ShowPatchLevel no | |
122 | +#UseDNS yes | |
123 | +#PidFile /var/run/sshd.pid | |
124 | +#MaxStartups 10:30:100 | |
125 | +#PermitTunnel no | |
126 | +#ChrootDirectory none | |
127 | + | |
128 | +# no default banner path | |
129 | +#Banner none | |
130 | + | |
131 | +# override default of no subsystems | |
132 | +Subsystem sftp /usr/libexec/openssh/sftp-server | |
133 | + | |
134 | +# Example of overriding settings on a per-user basis | |
135 | +#Match User anoncvs | |
136 | +# X11Forwarding no | |
137 | +# AllowTcpForwarding no | |
138 | +# ForceCommand cvs server | |
139 | + | |
140 | +<% | |
141 | +node['ssh_utils']['sshd_config']['extra_props'].each {|key, value| | |
142 | + if value.is_a?(String) then | |
143 | +-%> | |
144 | +<%= key %> <%= value %> | |
145 | +<% | |
146 | + elsif value.is_a?(Array) then | |
147 | + value.each {|elm| | |
148 | +-%> | |
149 | +<%= key %> <%= elm %> | |
150 | +<% | |
151 | + } | |
152 | + end | |
153 | +} | |
154 | +-%> |
@@ -0,0 +1,93 @@ | ||
1 | +# Package generated configuration file | |
2 | +# See the sshd(8) manpage for details | |
3 | + | |
4 | +# What ports, IPs and protocols we listen for | |
5 | +Port 22 | |
6 | +# Use these options to restrict which interfaces/protocols sshd will bind to | |
7 | +#ListenAddress :: | |
8 | +#ListenAddress 0.0.0.0 | |
9 | +Protocol 2 | |
10 | +# HostKeys for protocol version 2 | |
11 | +HostKey /etc/ssh/ssh_host_rsa_key | |
12 | +HostKey /etc/ssh/ssh_host_dsa_key | |
13 | +#Privilege Separation is turned on for security | |
14 | +UsePrivilegeSeparation yes | |
15 | + | |
16 | +# Lifetime and size of ephemeral version 1 server key | |
17 | +KeyRegenerationInterval 3600 | |
18 | +ServerKeyBits 1024 | |
19 | + | |
20 | +# Logging | |
21 | +SyslogFacility AUTH | |
22 | +LogLevel INFO | |
23 | + | |
24 | +# Authentication: | |
25 | +LoginGraceTime 120 | |
26 | +PermitRootLogin without-password | |
27 | +StrictModes yes | |
28 | + | |
29 | +RSAAuthentication yes | |
30 | +PubkeyAuthentication yes | |
31 | +#AuthorizedKeysFile %h/.ssh/authorized_keys | |
32 | + | |
33 | +# Don't read the user's ~/.rhosts and ~/.shosts files | |
34 | +IgnoreRhosts yes | |
35 | +# For this to work you will also need host keys in /etc/ssh_known_hosts | |
36 | +RhostsRSAAuthentication no | |
37 | +# similar for protocol version 2 | |
38 | +HostbasedAuthentication no | |
39 | +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | |
40 | +#IgnoreUserKnownHosts yes | |
41 | + | |
42 | +# To enable empty passwords, change to yes (NOT RECOMMENDED) | |
43 | +PermitEmptyPasswords no | |
44 | + | |
45 | +# Change to yes to enable challenge-response passwords (beware issues with | |
46 | +# some PAM modules and threads) | |
47 | +ChallengeResponseAuthentication no | |
48 | + | |
49 | +# Change to no to disable tunnelled clear text passwords | |
50 | +#PasswordAuthentication yes | |
51 | + | |
52 | +# Kerberos options | |
53 | +#KerberosAuthentication no | |
54 | +#KerberosGetAFSToken no | |
55 | +#KerberosOrLocalPasswd yes | |
56 | +#KerberosTicketCleanup yes | |
57 | + | |
58 | +# GSSAPI options | |
59 | +#GSSAPIAuthentication no | |
60 | +#GSSAPICleanupCredentials yes | |
61 | + | |
62 | +X11Forwarding yes | |
63 | +X11DisplayOffset 10 | |
64 | +PrintMotd no | |
65 | +PrintLastLog yes | |
66 | +TCPKeepAlive yes | |
67 | +#UseLogin no | |
68 | + | |
69 | +#MaxStartups 10:30:60 | |
70 | +#Banner /etc/issue.net | |
71 | + | |
72 | +# Allow client to pass locale environment variables | |
73 | +AcceptEnv LANG LC_* | |
74 | + | |
75 | +Subsystem sftp /usr/lib/openssh/sftp-server | |
76 | + | |
77 | +UsePAM yes | |
78 | + | |
79 | +<% | |
80 | +node['ssh_utils']['sshd_config']['extra_props'].each {|key, value| | |
81 | + if value.is_a?(String) then | |
82 | +-%> | |
83 | +<%= key %> <%= value %> | |
84 | +<% | |
85 | + elsif value.is_a?(Array) then | |
86 | + value.each {|elm| | |
87 | +-%> | |
88 | +<%= key %> <%= elm %> | |
89 | +<% | |
90 | + } | |
91 | + end | |
92 | +} | |
93 | +-%> |
@@ -0,0 +1,93 @@ | ||
1 | +# Package generated configuration file | |
2 | +# See the sshd(8) manpage for details | |
3 | + | |
4 | +# What ports, IPs and protocols we listen for | |
5 | +Port 22 | |
6 | +# Use these options to restrict which interfaces/protocols sshd will bind to | |
7 | +#ListenAddress :: | |
8 | +#ListenAddress 0.0.0.0 | |
9 | +Protocol 2 | |
10 | +# HostKeys for protocol version 2 | |
11 | +HostKey /etc/ssh/ssh_host_rsa_key | |
12 | +HostKey /etc/ssh/ssh_host_dsa_key | |
13 | +#Privilege Separation is turned on for security | |
14 | +UsePrivilegeSeparation yes | |
15 | + | |
16 | +# Lifetime and size of ephemeral version 1 server key | |
17 | +KeyRegenerationInterval 3600 | |
18 | +ServerKeyBits 1024 | |
19 | + | |
20 | +# Logging | |
21 | +SyslogFacility AUTH | |
22 | +LogLevel INFO | |
23 | + | |
24 | +# Authentication: | |
25 | +LoginGraceTime 120 | |
26 | +PermitRootLogin without-password | |
27 | +StrictModes yes | |
28 | + | |
29 | +RSAAuthentication yes | |
30 | +PubkeyAuthentication yes | |
31 | +#AuthorizedKeysFile %h/.ssh/authorized_keys | |
32 | + | |
33 | +# Don't read the user's ~/.rhosts and ~/.shosts files | |
34 | +IgnoreRhosts yes | |
35 | +# For this to work you will also need host keys in /etc/ssh_known_hosts | |
36 | +RhostsRSAAuthentication no | |
37 | +# similar for protocol version 2 | |
38 | +HostbasedAuthentication no | |
39 | +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | |
40 | +#IgnoreUserKnownHosts yes | |
41 | + | |
42 | +# To enable empty passwords, change to yes (NOT RECOMMENDED) | |
43 | +PermitEmptyPasswords no | |
44 | + | |
45 | +# Change to yes to enable challenge-response passwords (beware issues with | |
46 | +# some PAM modules and threads) | |
47 | +ChallengeResponseAuthentication no | |
48 | + | |
49 | +# Change to no to disable tunnelled clear text passwords | |
50 | +#PasswordAuthentication yes | |
51 | + | |
52 | +# Kerberos options | |
53 | +#KerberosAuthentication no | |
54 | +#KerberosGetAFSToken no | |
55 | +#KerberosOrLocalPasswd yes | |
56 | +#KerberosTicketCleanup yes | |
57 | + | |
58 | +# GSSAPI options | |
59 | +#GSSAPIAuthentication no | |
60 | +#GSSAPICleanupCredentials yes | |
61 | + | |
62 | +X11Forwarding yes | |
63 | +X11DisplayOffset 10 | |
64 | +PrintMotd no | |
65 | +PrintLastLog yes | |
66 | +TCPKeepAlive yes | |
67 | +#UseLogin no | |
68 | + | |
69 | +#MaxStartups 10:30:60 | |
70 | +#Banner /etc/issue.net | |
71 | + | |
72 | +# Allow client to pass locale environment variables | |
73 | +AcceptEnv LANG LC_* | |
74 | + | |
75 | +Subsystem sftp /usr/lib/openssh/sftp-server | |
76 | + | |
77 | +UsePAM yes | |
78 | + | |
79 | +<% | |
80 | +node['ssh_utils']['sshd_config']['extra_props'].each {|key, value| | |
81 | + if value.is_a?(String) then | |
82 | +-%> | |
83 | +<%= key %> <%= value %> | |
84 | +<% | |
85 | + elsif value.is_a?(Array) then | |
86 | + value.each {|elm| | |
87 | +-%> | |
88 | +<%= key %> <%= elm %> | |
89 | +<% | |
90 | + } | |
91 | + end | |
92 | +} | |
93 | +-%> |
@@ -0,0 +1,104 @@ | ||
1 | +# Package generated configuration file | |
2 | +# See the sshd_config(5) manpage for details | |
3 | + | |
4 | +# What ports, IPs and protocols we listen for | |
5 | +Port 22 | |
6 | +# Use these options to restrict which interfaces/protocols sshd will bind to | |
7 | +#ListenAddress :: | |
8 | +#ListenAddress 0.0.0.0 | |
9 | +Protocol 2 | |
10 | +# HostKeys for protocol version 2 | |
11 | +HostKey /etc/ssh/ssh_host_rsa_key | |
12 | +HostKey /etc/ssh/ssh_host_dsa_key | |
13 | +HostKey /etc/ssh/ssh_host_ecdsa_key | |
14 | +HostKey /etc/ssh/ssh_host_ed25519_key | |
15 | +#Privilege Separation is turned on for security | |
16 | +UsePrivilegeSeparation yes | |
17 | + | |
18 | +# Lifetime and size of ephemeral version 1 server key | |
19 | +KeyRegenerationInterval 3600 | |
20 | +ServerKeyBits 1024 | |
21 | + | |
22 | +# Logging | |
23 | +SyslogFacility AUTH | |
24 | +LogLevel INFO | |
25 | + | |
26 | +# Authentication: | |
27 | +LoginGraceTime 120 | |
28 | +PermitRootLogin without-password | |
29 | +StrictModes yes | |
30 | + | |
31 | +RSAAuthentication yes | |
32 | +PubkeyAuthentication yes | |
33 | +#AuthorizedKeysFile %h/.ssh/authorized_keys | |
34 | + | |
35 | +# Don't read the user's ~/.rhosts and ~/.shosts files | |
36 | +IgnoreRhosts yes | |
37 | +# For this to work you will also need host keys in /etc/ssh_known_hosts | |
38 | +RhostsRSAAuthentication no | |
39 | +# similar for protocol version 2 | |
40 | +HostbasedAuthentication no | |
41 | +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | |
42 | +#IgnoreUserKnownHosts yes | |
43 | + | |
44 | +# To enable empty passwords, change to yes (NOT RECOMMENDED) | |
45 | +PermitEmptyPasswords no | |
46 | + | |
47 | +# Change to yes to enable challenge-response passwords (beware issues with | |
48 | +# some PAM modules and threads) | |
49 | +ChallengeResponseAuthentication no | |
50 | + | |
51 | +# Change to no to disable tunnelled clear text passwords | |
52 | +#PasswordAuthentication yes | |
53 | + | |
54 | +# Kerberos options | |
55 | +#KerberosAuthentication no | |
56 | +#KerberosGetAFSToken no | |
57 | +#KerberosOrLocalPasswd yes | |
58 | +#KerberosTicketCleanup yes | |
59 | + | |
60 | +# GSSAPI options | |
61 | +#GSSAPIAuthentication no | |
62 | +#GSSAPICleanupCredentials yes | |
63 | + | |
64 | +X11Forwarding yes | |
65 | +X11DisplayOffset 10 | |
66 | +PrintMotd no | |
67 | +PrintLastLog yes | |
68 | +TCPKeepAlive yes | |
69 | +#UseLogin no | |
70 | + | |
71 | +#MaxStartups 10:30:60 | |
72 | +#Banner /etc/issue.net | |
73 | + | |
74 | +# Allow client to pass locale environment variables | |
75 | +AcceptEnv LANG LC_* | |
76 | + | |
77 | +Subsystem sftp /usr/lib/openssh/sftp-server | |
78 | + | |
79 | +# Set this to 'yes' to enable PAM authentication, account processing, | |
80 | +# and session processing. If this is enabled, PAM authentication will | |
81 | +# be allowed through the ChallengeResponseAuthentication and | |
82 | +# PasswordAuthentication. Depending on your PAM configuration, | |
83 | +# PAM authentication via ChallengeResponseAuthentication may bypass | |
84 | +# the setting of "PermitRootLogin without-password". | |
85 | +# If you just want the PAM account and session checks to run without | |
86 | +# PAM authentication, then enable this but set PasswordAuthentication | |
87 | +# and ChallengeResponseAuthentication to 'no'. | |
88 | +UsePAM yes | |
89 | + | |
90 | +<% | |
91 | +node['ssh_utils']['sshd_config']['extra_props'].each {|key, value| | |
92 | + if value.is_a?(String) then | |
93 | +-%> | |
94 | +<%= key %> <%= value %> | |
95 | +<% | |
96 | + elsif value.is_a?(Array) then | |
97 | + value.each {|elm| | |
98 | +-%> | |
99 | +<%= key %> <%= elm %> | |
100 | +<% | |
101 | + } | |
102 | + end | |
103 | +} | |
104 | +-%> |
@@ -1,9 +1,13 @@ | ||
1 | 1 | ssl_cert CHANGELOG |
2 | 2 | ================== |
3 | 3 | |
4 | +0.2.0 | |
5 | +----- | |
6 | +- add `ca_pubkeys` recipe for SSH-CA, ... | |
7 | + | |
4 | 8 | 0.1.5 |
5 | 9 | ----- |
6 | -- add ['ssl_cert']['rhel']['key_access_group'] attribute. | |
10 | +- add `['ssl_cert']['rhel']['key_access_group']` attribute. | |
7 | 11 | |
8 | 12 | 0.1.4 |
9 | 13 | ----- |
@@ -11,7 +15,7 @@ ssl_cert CHANGELOG | ||
11 | 15 | |
12 | 16 | 0.1.3 |
13 | 17 | ----- |
14 | -- add {ca_cert,server_key,server_cert}_file_prefix attributes. | |
18 | +- add `{ca_cert,server_key,server_cert}_file_prefix` attributes. | |
15 | 19 | |
16 | 20 | 0.1.2 |
17 | 21 | ----- |
@@ -7,7 +7,7 @@ Requirements | ||
7 | 7 | ------------ |
8 | 8 | |
9 | 9 | #### packages |
10 | -- nothing. | |
10 | +- none. | |
11 | 11 | |
12 | 12 | Attributes |
13 | 13 | ---------- |
@@ -17,6 +17,7 @@ Attributes | ||
17 | 17 | |Key|Type|Description, example|Default| |
18 | 18 | |:--|:--|:--|:--| |
19 | 19 | |`['ssl_cert']['ca_names']`|Array|deployed CA certificates from chef-vault|empty| |
20 | +|`['ssl_cert']['ca_pubkey_names']`|Array|deployed CA public keys from chef-vault (0.2.0 or later)|empty| | |
20 | 21 | |`['ssl_cert']['common_names']`|Array|deployed server keys and/or certificates from chef-vault|empty| |
21 | 22 | |`['ssl_cert']['rhel']['key_access_group']`|String|RHEL family's key access group (ver. 0.1.5 or later)|`'ssl-cert'`| |
22 | 23 | |`['ssl_cert']['chef_gem']['clear_sources']`|Boolean|chef_gem resource's clear_sources property.|`false`| |
@@ -28,6 +29,9 @@ Attributes | ||
28 | 29 | |`['ssl_cert']['ca_cert_vault']`|String|CA certificate stored vault name.|`'ca_certs'`| |
29 | 30 | |`['ssl_cert']['ca_cert_vault_item_key']`|String|CA certificate stored vault item key name. (single key or nested hash key path delimited by slash)|`'public'`| |
30 | 31 | |`['ssl_cert']['ca_cert_file_prefix']`|String|CA certificate file name's prefix.|`''`| |
32 | +|`['ssl_cert']['ca_pubkey_vault']`|String|CA public key stored vault name. (0.2.0 or later)|`'ca_pubkeys'`| | |
33 | +|`['ssl_cert']['ca_pubkey_vault_item_key']`|String|CA public key stored vault item key name. (single key or nested hash key path delimited by slash. 0.2.0 or later)|`'public'`| | |
34 | +|`['ssl_cert']['ca_pubkey_file_prefix']`|String|CA public key file name's prefix. (0.2.0 or later)|`''`| | |
31 | 35 | |`['ssl_cert']['server_key_vault']`|String|SSL server key stored vault name.|`'ssl_server_keys'`| |
32 | 36 | |`['ssl_cert']['server_key_vault_item_key']`|String|SSL server key stored vault item key name. (single key or nested hash key path delimited by slash)|`'private'`| |
33 | 37 | |`['ssl_cert']['server_key_file_prefix']`|String|SSL server key file name's prefix.|`''`| |
@@ -35,6 +39,7 @@ Attributes | ||
35 | 39 | |`['ssl_cert']['server_cert_vault_item_key']`|String|SSL server certificate stored vault item key name. (single key or nested hash key path delimited by slash)|`'public'`| |
36 | 40 | |`['ssl_cert']['server_cert_file_prefix']`|String|SSL server certificate file name's prefix.|`''`| |
37 | 41 | |`['ssl_cert']["#{ca}_cert_path"]`|String|deployed CA certificate file path.|`"#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_cert_file_prefix']}#{ca}.crt"`| |
42 | +|`['ssl_cert']["#{ca}_pubkey_path"]`|String|deployed CA public key file path. (0.2.0 or later)|`"#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_pubkey_file_prefix']}#{ca}.pub"`| | |
38 | 43 | |`['ssl_cert']["#{undotted_cn}_key_path"]`|String|deployed SSL server key file path.|`"#{node['ssl_cert']['private_dir']}/#{node['ssl_cert']['server_key_file_prefix']}#{undotted_cn}.key"`| |
39 | 44 | |`['ssl_cert']["#{undotted_cn}_cert_path"]`|String|deployed SSL server certificate file path.|`"#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['server_cert_file_prefix']}#{undotted_cn}.crt"`| |
40 | 45 |
@@ -44,6 +49,7 @@ Usage | ||
44 | 49 | ### recipes |
45 | 50 | - `ssl_cert::default` - deploys CA certificates, SSL server keys and/or certificates. |
46 | 51 | - `ssl_cert::ca_certs` - deploys CA certificates. |
52 | +- `ssl_cert::ca_pubkeys` - deploys CA public keys for SSH-CA, ... (0.2.0 or later) | |
47 | 53 | - `ssl_cert::server_key_pairs` - deploys SSL server keys and certificates. |
48 | 54 | - `ssl_cert::server_keys` - deploys SSL server keys. |
49 | 55 | - `ssl_cert::server_certs` - deploys SSL server certificates. |
@@ -75,6 +81,31 @@ override_attributes( | ||
75 | 81 | ) |
76 | 82 | ``` |
77 | 83 | |
84 | +#### CA public keys (0.2.0 or later) | |
85 | + | |
86 | +- create vault items. | |
87 | + | |
88 | +```text | |
89 | +$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("grid_ssh_ca.prod.pub")})' \ | |
90 | +> > ~/tmp/grid_ssh_ca.prod.pub.json | |
91 | + | |
92 | +$ knife vault create ca_pubkeys grid_ssh_ca.prod \ | |
93 | +> --json ~/tmp/grid_ssh_ca.prod.pub.json | |
94 | +``` | |
95 | + | |
96 | +- add cookbook attributes. | |
97 | + | |
98 | +```ruby | |
99 | +override_attributes( | |
100 | + 'ssl_cert' => { | |
101 | + 'ca_pubkey_names' => [ | |
102 | + 'grid_ssh_ca', | |
103 | + # ... | |
104 | + ], | |
105 | + }, | |
106 | +) | |
107 | +``` | |
108 | + | |
78 | 109 | #### SSL server keys and certificates |
79 | 110 | |
80 | 111 | - create vault items. |
@@ -109,6 +140,7 @@ override_attributes( | ||
109 | 140 | ### References of deployed key and certificate file paths (with default attributes) |
110 | 141 | |
111 | 142 | - `node['ssl_cert']["#{ca}_cert_path"]` - e.g. `node['ssl_cert']['grid_ca_cert_path']` |
143 | +- `node['ssl_cert']["#{ca}_pubkey_path"]` - e.g. `node['ssl_cert']['grid_ssh_ca_pubkey_path']` | |
112 | 144 | - `node['ssl_cert']["#{undotted_cn}_key_path"]` - e.g. `node['ssl_cert']['node_example_com_key_path']` |
113 | 145 | - `node['ssl_cert']["#{undotted_cn}_cert_path"]` - e.g. `node['ssl_cert']['node_example_com_cert_path']` |
114 | 146 |
@@ -22,6 +22,12 @@ default['ssl_cert']['ca_names'] = [ | ||
22 | 22 | #'grid_ca', |
23 | 23 | ] |
24 | 24 | |
25 | +# deployed CA public keys from chef-vault | |
26 | +# for SSH-CA, ... | |
27 | +default['ssl_cert']['ca_pubkey_names'] = [ | |
28 | + #'grid_ssh_ca', | |
29 | +] | |
30 | + | |
25 | 31 | # deployed server keys and/or certificates from chef-vault |
26 | 32 | default['ssl_cert']['common_names'] = [ |
27 | 33 | #'ldap.grid.example.com', |
@@ -57,6 +63,22 @@ default['ssl_cert']['ca_cert_file_prefix'] = '' | ||
57 | 63 | > --json ~/tmp/grid_ca.prod.crt.json |
58 | 64 | =end |
59 | 65 | |
66 | +default['ssl_cert']['ca_pubkey_vault'] = 'ca_pubkeys' | |
67 | +default['ssl_cert']['ca_pubkey_vault_item_key'] = 'public' | |
68 | +default['ssl_cert']['ca_pubkey_file_prefix'] = '' | |
69 | +=begin | |
70 | + CA public key vault item name is | |
71 | + each CA name + ".#{node['ssl_cert']['vault_item_suffix']}". | |
72 | + valut item key is 'public'. | |
73 | + | |
74 | + * vault item management | |
75 | + | |
76 | + $ ruby -rjson -e 'puts JSON.generate({"public" => File.read("grid_ssh_ca.prod.pub")})' \ | |
77 | + > > ~/tmp/grid_ssh_ca.prod.pub.json | |
78 | + $ knife vault create ca_pubkeys grid_ssh_ca.prod \ | |
79 | + > --json ~/tmp/grid_ssh_ca.prod.pub.json | |
80 | +=end | |
81 | + | |
60 | 82 | default['ssl_cert']['server_key_vault'] = 'ssl_server_keys' |
61 | 83 | default['ssl_cert']['server_key_vault_item_key'] = 'private' |
62 | 84 | default['ssl_cert']['server_key_file_prefix'] = '' |
@@ -108,6 +130,11 @@ node['ssl_cert']['ca_names'].each {|ca| | ||
108 | 130 | = "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_cert_file_prefix']}#{ca}.crt" |
109 | 131 | } |
110 | 132 | |
133 | +node['ssl_cert']['ca_pubkey_names'].each {|ca| | |
134 | + default['ssl_cert']["#{ca}_pubkey_path"] \ | |
135 | + = "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_pubkey_file_prefix']}#{ca}.pub" | |
136 | +} | |
137 | + | |
111 | 138 | undotted_cns.each {|cn| |
112 | 139 | default['ssl_cert']["#{cn}_key_path"] \ |
113 | 140 | = "#{node['ssl_cert']['private_dir']}/#{node['ssl_cert']['server_key_file_prefix']}#{cn}.key" |
@@ -105,6 +105,27 @@ module Helper | ||
105 | 105 | end |
106 | 106 | |
107 | 107 | |
108 | + def ca_public_key(ca) | |
109 | + undotted_ca = ca.gsub('.', '_') | |
110 | + | |
111 | + chef_gem_chef_vault | |
112 | + require 'chef-vault' | |
113 | + pubkey = ChefVault::Item.load( | |
114 | + node['ssl_cert']['ca_pubkey_vault'], "#{ca}#{vault_item_suffix}") | |
115 | + node['ssl_cert']['ca_pubkey_vault_item_key'].split('/').each {|elm| | |
116 | + pubkey = pubkey[elm] | |
117 | + } | |
118 | + | |
119 | + pubkey_path = node['ssl_cert']["#{undotted_ca}_pubkey_path"] | |
120 | + resources(:file => pubkey_path) rescue file pubkey_path do | |
121 | + content pubkey | |
122 | + owner 'root' | |
123 | + group 'root' | |
124 | + mode 0644 | |
125 | + end | |
126 | + end | |
127 | + | |
128 | + | |
108 | 129 | def server_certificate(cn) |
109 | 130 | undotted_cn = cn.gsub('.', '_') |
110 | 131 |
@@ -4,5 +4,5 @@ maintainer_email '' | ||
4 | 4 | license 'Apache 2.0' |
5 | 5 | description 'Installs/Configures ssl_cert' |
6 | 6 | long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) |
7 | -version '0.1.5' | |
7 | +version '0.2.0' | |
8 | 8 |
@@ -0,0 +1,25 @@ | ||
1 | +# | |
2 | +# Cookbook Name:: ssl_cert | |
3 | +# Recipe:: ca_pubkeys | |
4 | +# | |
5 | +# Copyright 2016, whitestar | |
6 | +# | |
7 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
8 | +# you may not use this file except in compliance with the License. | |
9 | +# You may obtain a copy of the License at | |
10 | +# | |
11 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
12 | +# | |
13 | +# Unless required by applicable law or agreed to in writing, software | |
14 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
15 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
16 | +# See the License for the specific language governing permissions and | |
17 | +# limitations under the License. | |
18 | +# | |
19 | + | |
20 | +::Chef::Recipe.send(:include, SSLCert::Helper) | |
21 | + | |
22 | +node['ssl_cert']['ca_pubkey_names'].each {|ca| | |
23 | + ca_public_key(ca) | |
24 | +} | |
25 | + |