test(inspec): add tests based on existing Serverspec tests (#168)

* ci(kitchen): use `openssh.config` as `state_top`
* Semi-automated using https://github.com/myii/ssf-formula/pull/33
* test(pillar): remove deprecated option and disabled method
* https://travis-ci.org/myii/openssh-formula/jobs/585340845#L1811-L1813:
* test(pillar): use same SSH options as used by Travis
* Using existing options locks out after `kitchen converge` (before `verify`)
* https://travis-ci.org/myii/openssh-formula/jobs/585356835#L2957-L2965:
* test(inspec): add tests based on existing Serverspec tests
* Follows on from #166
This commit is contained in:
Imran Iqbal 2019-09-16 19:28:05 +01:00 committed by Niels Abspoel
parent 09b44cbb54
commit 267042c838
6 changed files with 83 additions and 191 deletions

View File

@ -154,7 +154,7 @@ suites:
state_top:
base:
'*':
- openssh
- openssh.config
pillars:
top.sls:
base:

View File

@ -14,7 +14,6 @@ sshd_config:
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation: 'sandbox'
SyslogFacility: AUTH
LogLevel: INFO
ClientAliveInterval: 0
@ -32,7 +31,7 @@ sshd_config:
HostbasedAuthentication: 'no'
PermitEmptyPasswords: 'no'
ChallengeResponseAuthentication: 'no'
AuthenticationMethods: 'publickey,keyboard-interactive'
AuthenticationMethods: 'publickey'
AuthorizedKeysFile: '%h/.ssh/authorized_keys'
X11Forwarding: 'no'
X11DisplayOffset: 10

View File

@ -0,0 +1,33 @@
# Overide by Platform
root_group = 'root'
if platform[:family] == 'freebsd'
root_group = 'wheel'
end
control 'openssh configuration' do
title 'should match desired lines'
describe file('/etc/ssh/sshd_config') do
it { should be_file }
its('mode') { should cmp '0644' }
it { should be_owned_by 'root' }
it { should be_grouped_into root_group }
its('content') { should include 'ChallengeResponseAuthentication no' }
its('content') { should include 'X11Forwarding yes' }
its('content') { should include 'PrintMotd no' }
its('content') { should include 'AcceptEnv LANG LC_*' }
its('content') { should include 'Subsystem sftp /usr/lib/openssh/sftp-server' }
its('content') { should include 'UsePAM yes' }
end
describe file('/etc/ssh/ssh_config') do
it { should be_file }
its('mode') { should cmp '0644' }
it { should be_owned_by 'root' }
it { should be_grouped_into root_group }
its('content') { should include 'Host *' }
its('content') { should include ' GSSAPIAuthentication yes' }
its('content') { should include ' HashKnownHosts yes' }
its('content') { should include ' SendEnv LANG LC_*' }
end
end

View File

@ -0,0 +1,13 @@
# Overide by Platform
package_name = 'openssh-server'
if platform[:family] == 'suse'
package_name = 'openssh'
end
control 'openssh package' do
title 'should be installed'
describe package(package_name) do
it { should be_installed }
end
end

View File

@ -0,0 +1,15 @@
# Overide by Platform
service_name = 'sshd'
if platform[:family] == 'debian'
service_name = 'ssh'
end
control 'openssh service' do
impact 0.5
title 'should be running and enabled'
describe service(service_name) do
it { should be_enabled }
it { should be_running }
end
end

View File

@ -1,203 +1,35 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# yamllint disable rule:line-length
# Using a stripped down version of both `sshd_config` and `ssh_config` here
# The values introduced by the initial commit are taken from the Travis
# instances themselves
# Care must be taken when modifying this, not to lock out Travis before the
# `kitchen verify` stage takes place, resulting in:
# ```
# $$$$$$ [SSH] connection failed, terminating (#<Net::SSH::AuthenticationFailed: Authentication failed for user kitchen@localhost>)
# >>>>>> ------Exception-------
# >>>>>> Class: Kitchen::ActionFailed
# >>>>>> Message: 1 actions failed.
# >>>>>> Failed to complete #verify action: [Transport error, can't connect to 'ssh' backend: SSH session could not be established] on ...
# ```
# yamllint enable rule:line-length
sshd_config:
# This keyword is totally optional
ConfigBanner: |
# Alternative banner for the config file
# (Indented) hash signs lose their special meaning here
# and the lines will be written as-is.
Port: 22
Protocol: 2
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation: 'sandbox'
SyslogFacility: AUTH
LogLevel: INFO
ClientAliveInterval: 0
ClientAliveCountMax: 3
LoginGraceTime: 120
PermitRootLogin: 'yes'
PasswordAuthentication: 'no'
StrictModes: 'yes'
MaxAuthTries: 6
MaxSessions: 10
PubkeyAuthentication: 'yes'
AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys'
AuthorizedKeysCommandUser: 'nobody'
IgnoreRhosts: 'yes'
HostbasedAuthentication: 'no'
PermitEmptyPasswords: 'no'
ChallengeResponseAuthentication: 'no'
AuthenticationMethods: 'publickey,keyboard-interactive'
AuthorizedKeysFile: '%h/.ssh/authorized_keys'
X11Forwarding: 'no'
X11DisplayOffset: 10
PrintMotd: 'yes'
PrintLastLog: 'yes'
TCPKeepAlive: 'yes'
X11Forwarding: 'yes'
PrintMotd: 'no'
AcceptEnv: "LANG LC_*"
Subsystem: "sftp /usr/lib/openssh/sftp-server"
UsePAM: 'yes'
UseDNS: 'yes'
# set as string
AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke'
# # or set as list
# AllowUsers:
# - vader@10.0.0.1
# - maul@evil.com
# - sidious
# - luke
# # set as string
# DenyUsers: 'yoda chewbaca@112.10.21.1'
# or set as list
DenyUsers:
- yoda
- chewbaca@112.10.21.1
# # set as string
# AllowGroups: 'wheel staff imperial'
# or set as list
AllowGroups:
- wheel
- staff
- imperial
# set as string
DenyGroups: 'rebel'
# # or set as list
# DenyGroups:
# - rebel
# - badcompany
matches:
sftp_chroot:
type:
Group: sftpusers
options:
ChrootDirectory: /sftp-chroot/%u
X11Forwarding: 'no'
AllowTcpForwarding: 'no'
ForceCommand: internal-sftp
# Supports complex compound matches in Match criteria. For example, be able
# to match against multiple Users for a given Match, or be able to match
# against address ranges. Or Groups. Or any combination thereof.
#
# Support for matching users can take one of several different appearances
# in pillar data:
match_1:
type:
User: one_user
options:
ChrootDirectory: /ex/%u
match_2:
type:
User:
- jim
- bob
- sally
options:
ChrootDirectory: /ex/%u
# Note the syntax of match_3. By using empty dicts for each user, we can
# leverage Salt's pillar mergine. If we use simple lists, we cannot do
# this; Salt can't merge simple lists, because it doesn't know what order
# they ought to be in.
match_3:
type:
User:
jim: ~
bob: ~
sally: ~
options:
ChrootDirectory: /ex/%u
# Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
# The configuration given in the example below is based on:
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
# KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
# yamllint disable rule:line-length
# Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
# MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
# yamllint enable rule:line-length
KexAlgorithms:
- 'curve25519-sha256@libssh.org'
- 'diffie-hellman-group-exchange-sha256'
Ciphers:
- 'chacha20-poly1305@openssh.com'
- 'aes256-gcm@openssh.com'
- 'aes128-gcm@openssh.com'
- 'aes256-ctr'
- 'aes192-ctr'
- 'aes128-ctr'
MACs:
- 'hmac-sha2-512-etm@openssh.com'
- 'hmac-sha2-256-etm@openssh.com'
- 'umac-128-etm@openssh.com'
- 'hmac-sha2-512'
- 'hmac-sha2-256'
- 'umac-128@openssh.com'
# Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
# pillar will overwrite the defaults of your distribution's SSH client. This
# will also force the default configuration for all the SSH clients on the
# machine. This can break SSH connections with servers using older versions of
# openssh. Please make sure you understand the implication of different settings
ssh_config:
Hosts:
'*':
StrictHostKeyChecking: 'no'
ForwardAgent: 'no'
ForwardX11: 'no'
RhostsRSAAuthentication: 'no'
RSAAuthentication: 'yes'
PasswordAuthentication: 'yes'
HostbasedAuthentication: 'no'
GSSAPIAuthentication: 'no'
GSSAPIDelegateCredentials: 'no'
BatchMode: 'yes'
CheckHostIP: 'yes'
AddressFamily: 'any'
ConnectTimeout: 0
IdentityFile: '~/.ssh/id_rsa'
Port: 22
Protocol: 2
Cipher: '3des'
Tunnel: 'no'
TunnelDevice: 'any:any'
PermitLocalCommand: 'no'
VisualHostKey: 'no'
# Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
# WARNING! Please make sure you understand the implications of the below
# settings. The examples provided below might break your connection to older /
# legacy openssh servers.
# The configuration given in the example below is based on:
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
# You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
# yamllint disable rule:line-length
# KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
# Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
# MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
# yamllint enable rule:line-length
KexAlgorithms:
- 'curve25519-sha256@libssh.org'
- 'diffie-hellman-group-exchange-sha256'
- 'diffie-hellman-group-exchange-sha1'
- 'diffie-hellman-group14-sha1'
Ciphers:
- 'chacha20-poly1305@openssh.com'
- 'aes256-gcm@openssh.com'
- 'aes128-gcm@openssh.com'
- 'aes256-ctr'
- 'aes192-ctr'
- 'aes128-ctr'
MACs:
- 'hmac-sha2-512-etm@openssh.com'
- 'hmac-sha2-256-etm@openssh.com'
- 'umac-128-etm@openssh.com'
- 'hmac-sha2-512'
- 'hmac-sha2-256'
- 'umac-128@openssh.com'
GSSAPIAuthentication: 'yes'
HashKnownHosts: 'yes'
SendEnv: 'LANG LC_*'
openssh: