fix(openbsd): fix dig_pkg, avoid UsePAM & add verification file

This commit is contained in:
Imran Iqbal 2021-03-25 01:13:00 +00:00
parent 4c857fe071
commit 286856058a
No known key found for this signature in database
GPG Key ID: 6D8629439D2B7819
5 changed files with 194 additions and 4 deletions

View File

@ -3,9 +3,13 @@
{%- from tplroot ~ "/libtofs.jinja" import files_switch %} {%- from tplroot ~ "/libtofs.jinja" import files_switch %}
{%- set openssh = mapdata.openssh %} {%- set openssh = mapdata.openssh %}
{%- if openssh.dig_pkg %}
ensure dig is available: ensure dig is available:
pkg.installed: pkg.installed:
- name: {{ openssh.dig_pkg }} - name: {{ openssh.dig_pkg }}
- require_in:
- file: manage ssh_known_hosts file
{%- endif %}
manage ssh_known_hosts file: manage ssh_known_hosts file:
file.managed: file.managed:
@ -19,5 +23,3 @@ manage ssh_known_hosts file:
- user: root - user: root
- group: {{ openssh.ssh_config_group }} - group: {{ openssh.ssh_config_group }}
- mode: 644 - mode: 644
- require:
- pkg: ensure dig is available

View File

@ -12,6 +12,8 @@
values: values:
openssh: openssh:
service: sshd service: sshd
# Already installed: `base68:/usr/bin/dig`
dig_pkg: ~
sshd_config_group: wheel sshd_config_group: wheel
ssh_config_group: wheel ssh_config_group: wheel
sshd_config: sshd_config:

View File

@ -27,8 +27,10 @@ control 'openssh configuration' do
its('content') { should include 'PrintMotd no' } its('content') { should include 'PrintMotd no' }
its('content') { should include 'AcceptEnv LANG LC_*' } its('content') { should include 'AcceptEnv LANG LC_*' }
its('content') { should include 'Subsystem sftp /usr/lib/openssh/sftp-server' } its('content') { should include 'Subsystem sftp /usr/lib/openssh/sftp-server' }
unless %w[openbsd].include?(platform[:name])
its('content') { should include 'UsePAM yes' } its('content') { should include 'UsePAM yes' }
end end
end
describe file('/etc/ssh/ssh_config') do describe file('/etc/ssh/ssh_config') do
it { should be_file } it { should be_file }
@ -45,7 +47,7 @@ control 'openssh configuration' do
it { should be_file } it { should be_file }
its('mode') { should cmp '0644' } its('mode') { should cmp '0644' }
it { should be_owned_by 'root' } it { should be_owned_by 'root' }
it { should be_grouped_into 'root' } it { should be_grouped_into root_group }
its('content') { should include github_known_host } its('content') { should include github_known_host }
its('content') { should match(gitlab_known_host_re) } its('content') { should match(gitlab_known_host_re) }
its('content') { should include minion_rsa_known_host } its('content') { should include minion_rsa_known_host }

View File

@ -0,0 +1,182 @@
# yamllint disable rule:indentation rule:line-length
# OpenBSD-6
---
values:
map_jinja:
sources:
- Y:G@osarch
- Y:G@os_family
- Y:G@os
- Y:G@osfinger
- C:SUB@openssh:lookup
- C:SUB@openssh
- C:SUB@sshd_config:lookup
- C:SUB@sshd_config
- C:SUB@ssh_config:lookup
- C:SUB@ssh_config
- Y:G@id
openssh:
absent_dsa_keys: false
absent_ecdsa_keys: false
absent_ed25519_keys: false
absent_rsa_keys: false
auth:
joe-non-valid-ssh-key:
- comment: obsolete key - removed
enc: ssh-rsa
present: false
source: salt://ssh_keys/joe.no-valid.pub
user: joe
joe-valid-ssh-key-desktop:
- comment: main key - desktop
enc: ssh-rsa
present: true
source: salt://ssh_keys/joe.desktop.pub
user: joe
joe-valid-ssh-key-notebook:
- comment: main key - notebook
enc: ssh-rsa
present: true
source: salt://ssh_keys/joe.netbook.pub
user: joe
auth_map:
personal_keys:
source: salt://ssh_keys
users:
joe:
joe.desktop: {}
joe.netbook:
options: []
joe.no-valid:
present: false
banner: /etc/ssh/banner
banner_src: banner
banner_string: 'Welcome to example.net!
'
client_version: latest
dig_pkg: ~
dsa:
private_key: '-----BEGIN DSA PRIVATE KEY-----
NOT_DEFINED
-----END DSA PRIVATE KEY-----
'
public_key: 'ssh-dss NOT_DEFINED
'
ecdsa:
private_key: '-----BEGIN EC PRIVATE KEY-----
NOT_DEFINED
-----END EC PRIVATE KEY-----
'
public_key: 'ecdsa-sha2-nistp256 NOT_DEFINED
'
ed25519:
private_key: '-----BEGIN OPENSSH PRIVATE KEY-----
NOT_DEFINED
-----END OPENSSH PRIVATE KEY-----
'
public_key: 'ssh-ed25519 NOT_DEFINED
'
enforce_rsa_size: false
generate_dsa_keys: false
generate_ecdsa_keys: false
generate_ed25519_keys: false
generate_rsa_keys: false
generate_rsa_size: 4096
host_key_algos: ecdsa,ed25519,rsa
known_hosts:
aliases:
- cname-to-minion.example.org
- alias.example.org
hostnames: false
include_localhost: false
mine_hostname_function: public_ssh_hostname
mine_keys_function: public_ssh_host_keys
omit_ip_address:
- github.com
salt_ssh:
public_ssh_host_keys:
minion.id: 'ssh-rsa [...]
ssh-ed25519 [...]
'
public_ssh_host_names:
minion.id:
- minion.id
- alias.of.minion.id
user: salt-master
static:
github.com: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]
gitlab.com: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]
target: '*'
tgt_type: glob
moduli: '# Time Type Tests Tries Size Generator Modulus
20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
'
provide_dsa_keys: false
provide_ecdsa_keys: false
provide_ed25519_keys: false
provide_rsa_keys: false
root_group: root
rsa:
private_key: '-----BEGIN RSA PRIVATE KEY-----
NOT_DEFINED
-----END RSA PRIVATE KEY-----
'
public_key: 'ssh-rsa NOT_DEFINED
'
server_version: latest
service: sshd
ssh_config: /etc/ssh/ssh_config
ssh_config_backup: true
ssh_config_group: wheel
ssh_config_mode: '644'
ssh_config_src: ssh_config
ssh_config_user: root
ssh_known_hosts: /etc/ssh/ssh_known_hosts
ssh_known_hosts_src: ssh_known_hosts
ssh_moduli: /etc/ssh/moduli
sshd_binary: /usr/sbin/sshd
sshd_config: /etc/ssh/sshd_config
sshd_config_backup: true
sshd_config_group: wheel
sshd_config_mode: '644'
sshd_config_src: sshd_config
sshd_config_user: root
sshd_enable: true
tofs:
source_files:
manage ssh_known_hosts file:
- alt_ssh_known_hosts
ssh_config:
- alt_ssh_config
sshd_banner:
- fire_banner
sshd_config:
- alt_sshd_config
ssh_config:
Hosts:
'*':
GSSAPIAuthentication: 'yes'
HashKnownHosts: 'yes'
SendEnv: LANG LC_*
sshd_config:
AcceptEnv: LANG LC_*
ChallengeResponseAuthentication: 'no'
PrintMotd: 'no'
Subsystem: sftp /usr/lib/openssh/sftp-server
X11Forwarding: 'yes'

View File

@ -22,7 +22,9 @@ sshd_config:
PrintMotd: 'no' PrintMotd: 'no'
AcceptEnv: "LANG LC_*" AcceptEnv: "LANG LC_*"
Subsystem: "sftp /usr/lib/openssh/sftp-server" Subsystem: "sftp /usr/lib/openssh/sftp-server"
{%- if grains.os != "OpenBSD" %}
UsePAM: 'yes' UsePAM: 'yes'
{%- endif %}
ssh_config: ssh_config:
Hosts: Hosts: