From 286856058ac1b7231cbd3455826a751963c3ca45 Mon Sep 17 00:00:00 2001 From: Imran Iqbal Date: Thu, 25 Mar 2021 01:13:00 +0000 Subject: [PATCH] fix(openbsd): fix `dig_pkg`, avoid `UsePAM` & add verification file --- openssh/known_hosts.sls | 6 +- openssh/parameters/os_family/OpenBSD.yaml | 2 + .../default/controls/config_spec.rb | 6 +- .../default/files/_mapdata/openbsd-6.yaml | 182 ++++++++++++++++++ test/salt/pillar/default.sls | 2 + 5 files changed, 194 insertions(+), 4 deletions(-) create mode 100644 test/integration/default/files/_mapdata/openbsd-6.yaml diff --git a/openssh/known_hosts.sls b/openssh/known_hosts.sls index 96338fb..0d729df 100644 --- a/openssh/known_hosts.sls +++ b/openssh/known_hosts.sls @@ -3,9 +3,13 @@ {%- from tplroot ~ "/libtofs.jinja" import files_switch %} {%- set openssh = mapdata.openssh %} +{%- if openssh.dig_pkg %} ensure dig is available: pkg.installed: - name: {{ openssh.dig_pkg }} + - require_in: + - file: manage ssh_known_hosts file +{%- endif %} manage ssh_known_hosts file: file.managed: @@ -19,5 +23,3 @@ manage ssh_known_hosts file: - user: root - group: {{ openssh.ssh_config_group }} - mode: 644 - - require: - - pkg: ensure dig is available diff --git a/openssh/parameters/os_family/OpenBSD.yaml b/openssh/parameters/os_family/OpenBSD.yaml index b0b381c..d1d8bb1 100644 --- a/openssh/parameters/os_family/OpenBSD.yaml +++ b/openssh/parameters/os_family/OpenBSD.yaml @@ -12,6 +12,8 @@ values: openssh: service: sshd + # Already installed: `base68:/usr/bin/dig` + dig_pkg: ~ sshd_config_group: wheel ssh_config_group: wheel sshd_config: diff --git a/test/integration/default/controls/config_spec.rb b/test/integration/default/controls/config_spec.rb index 5a9ac25..b6b0260 100644 --- a/test/integration/default/controls/config_spec.rb +++ b/test/integration/default/controls/config_spec.rb @@ -27,7 +27,9 @@ control 'openssh configuration' do its('content') { should include 'PrintMotd no' } its('content') { should include 'AcceptEnv LANG LC_*' } its('content') { should include 'Subsystem sftp /usr/lib/openssh/sftp-server' } - its('content') { should include 'UsePAM yes' } + unless %w[openbsd].include?(platform[:name]) + its('content') { should include 'UsePAM yes' } + end end describe file('/etc/ssh/ssh_config') do @@ -45,7 +47,7 @@ control 'openssh configuration' do it { should be_file } its('mode') { should cmp '0644' } it { should be_owned_by 'root' } - it { should be_grouped_into 'root' } + it { should be_grouped_into root_group } its('content') { should include github_known_host } its('content') { should match(gitlab_known_host_re) } its('content') { should include minion_rsa_known_host } diff --git a/test/integration/default/files/_mapdata/openbsd-6.yaml b/test/integration/default/files/_mapdata/openbsd-6.yaml new file mode 100644 index 0000000..ca634ba --- /dev/null +++ b/test/integration/default/files/_mapdata/openbsd-6.yaml @@ -0,0 +1,182 @@ +# yamllint disable rule:indentation rule:line-length +# OpenBSD-6 +--- +values: + map_jinja: + sources: + - Y:G@osarch + - Y:G@os_family + - Y:G@os + - Y:G@osfinger + - C:SUB@openssh:lookup + - C:SUB@openssh + - C:SUB@sshd_config:lookup + - C:SUB@sshd_config + - C:SUB@ssh_config:lookup + - C:SUB@ssh_config + - Y:G@id + openssh: + absent_dsa_keys: false + absent_ecdsa_keys: false + absent_ed25519_keys: false + absent_rsa_keys: false + auth: + joe-non-valid-ssh-key: + - comment: obsolete key - removed + enc: ssh-rsa + present: false + source: salt://ssh_keys/joe.no-valid.pub + user: joe + joe-valid-ssh-key-desktop: + - comment: main key - desktop + enc: ssh-rsa + present: true + source: salt://ssh_keys/joe.desktop.pub + user: joe + joe-valid-ssh-key-notebook: + - comment: main key - notebook + enc: ssh-rsa + present: true + source: salt://ssh_keys/joe.netbook.pub + user: joe + auth_map: + personal_keys: + source: salt://ssh_keys + users: + joe: + joe.desktop: {} + joe.netbook: + options: [] + joe.no-valid: + present: false + banner: /etc/ssh/banner + banner_src: banner + banner_string: 'Welcome to example.net! + ' + client_version: latest + dig_pkg: ~ + dsa: + private_key: '-----BEGIN DSA PRIVATE KEY----- + + NOT_DEFINED + + -----END DSA PRIVATE KEY----- + ' + public_key: 'ssh-dss NOT_DEFINED + ' + ecdsa: + private_key: '-----BEGIN EC PRIVATE KEY----- + + NOT_DEFINED + + -----END EC PRIVATE KEY----- + ' + public_key: 'ecdsa-sha2-nistp256 NOT_DEFINED + ' + ed25519: + private_key: '-----BEGIN OPENSSH PRIVATE KEY----- + + NOT_DEFINED + + -----END OPENSSH PRIVATE KEY----- + ' + public_key: 'ssh-ed25519 NOT_DEFINED + ' + enforce_rsa_size: false + generate_dsa_keys: false + generate_ecdsa_keys: false + generate_ed25519_keys: false + generate_rsa_keys: false + generate_rsa_size: 4096 + host_key_algos: ecdsa,ed25519,rsa + known_hosts: + aliases: + - cname-to-minion.example.org + - alias.example.org + hostnames: false + include_localhost: false + mine_hostname_function: public_ssh_hostname + mine_keys_function: public_ssh_host_keys + omit_ip_address: + - github.com + salt_ssh: + public_ssh_host_keys: + minion.id: 'ssh-rsa [...] + + ssh-ed25519 [...] + ' + public_ssh_host_names: + minion.id: + - minion.id + - alias.of.minion.id + user: salt-master + static: + github.com: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...] + gitlab.com: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...] + target: '*' + tgt_type: glob + moduli: '# Time Type Tests Tries Size Generator Modulus + + 20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63 + + 20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB + + 20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53 + + 20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F + ' + provide_dsa_keys: false + provide_ecdsa_keys: false + provide_ed25519_keys: false + provide_rsa_keys: false + root_group: root + rsa: + private_key: '-----BEGIN RSA PRIVATE KEY----- + + NOT_DEFINED + + -----END RSA PRIVATE KEY----- + ' + public_key: 'ssh-rsa NOT_DEFINED + ' + server_version: latest + service: sshd + ssh_config: /etc/ssh/ssh_config + ssh_config_backup: true + ssh_config_group: wheel + ssh_config_mode: '644' + ssh_config_src: ssh_config + ssh_config_user: root + ssh_known_hosts: /etc/ssh/ssh_known_hosts + ssh_known_hosts_src: ssh_known_hosts + ssh_moduli: /etc/ssh/moduli + sshd_binary: /usr/sbin/sshd + sshd_config: /etc/ssh/sshd_config + sshd_config_backup: true + sshd_config_group: wheel + sshd_config_mode: '644' + sshd_config_src: sshd_config + sshd_config_user: root + sshd_enable: true + tofs: + source_files: + manage ssh_known_hosts file: + - alt_ssh_known_hosts + ssh_config: + - alt_ssh_config + sshd_banner: + - fire_banner + sshd_config: + - alt_sshd_config + ssh_config: + Hosts: + '*': + GSSAPIAuthentication: 'yes' + HashKnownHosts: 'yes' + SendEnv: LANG LC_* + sshd_config: + AcceptEnv: LANG LC_* + ChallengeResponseAuthentication: 'no' + PrintMotd: 'no' + Subsystem: sftp /usr/lib/openssh/sftp-server + X11Forwarding: 'yes' diff --git a/test/salt/pillar/default.sls b/test/salt/pillar/default.sls index 664b4cd..3551607 100644 --- a/test/salt/pillar/default.sls +++ b/test/salt/pillar/default.sls @@ -22,7 +22,9 @@ sshd_config: PrintMotd: 'no' AcceptEnv: "LANG LC_*" Subsystem: "sftp /usr/lib/openssh/sftp-server" + {%- if grains.os != "OpenBSD" %} UsePAM: 'yes' + {%- endif %} ssh_config: Hosts: