From 613bea2cac1c34c2c54cc9b27dfb3263a99129ef Mon Sep 17 00:00:00 2001 From: Adam Mendlik Date: Thu, 23 Feb 2017 14:42:16 -0700 Subject: [PATCH 1/2] Add variables for file owner and mode --- .kitchen.yml | 4 +++- openssh/config.sls | 10 ++++++---- openssh/defaults.yaml | 6 ++++++ .../default/serverspec/openssl_server_spec.rb | 12 ++++++++++++ 4 files changed, 27 insertions(+), 5 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index f2af536..d7b7f75 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -21,7 +21,9 @@ provisioner: '*': - openssl openssl.sls: - sshd_enable: true + openssh: + sshd_config_mode: '600' + ssh_config_mode: '600' suites: - name: default diff --git a/openssh/config.sls b/openssh/config.sls index e462888..6c81c8c 100644 --- a/openssh/config.sls +++ b/openssh/config.sls @@ -8,8 +8,9 @@ sshd_config: - name: {{ openssh.sshd_config }} - source: {{ openssh.sshd_config_src }} - template: jinja - - user: root - - mode: 644 + - user: {{ openssh.sshd_config_user }} + - group: {{ openssh.sshd_config_group }} + - mode: {{ openssh.sshd_config_mode }} - watch_in: - service: openssh @@ -18,8 +19,9 @@ ssh_config: - name: {{ openssh.ssh_config }} - source: {{ openssh.ssh_config_src }} - template: jinja - - user: root - - mode: 644 + - user: {{ openssh.ssh_config_user }} + - group: {{ openssh.ssh_config_group }} + - mode: {{ openssh.ssh_config_mode }} {% for keyType in ['ecdsa', 'dsa', 'rsa', 'ed25519'] %} {% if salt['pillar.get']('openssh:generate_' ~ keyType ~ '_keys', False) %} diff --git a/openssh/defaults.yaml b/openssh/defaults.yaml index 8f21dc9..2a34b31 100644 --- a/openssh/defaults.yaml +++ b/openssh/defaults.yaml @@ -2,8 +2,14 @@ openssh: sshd_enable: True sshd_config: /etc/ssh/sshd_config sshd_config_src: salt://openssh/files/sshd_config + sshd_config_user: root + sshd_config_group: root + sshd_config_mode: '644' ssh_config: /etc/ssh/ssh_config ssh_config_src: salt://openssh/files/ssh_config + ssh_config_user: root + ssh_config_group: root + ssh_config_mode: '644' banner: /etc/ssh/banner banner_src: salt://openssh/files/banner ssh_known_hosts: /etc/ssh/ssh_known_hosts diff --git a/test/integration/default/serverspec/openssl_server_spec.rb b/test/integration/default/serverspec/openssl_server_spec.rb index 30ba8d2..d4d5572 100644 --- a/test/integration/default/serverspec/openssl_server_spec.rb +++ b/test/integration/default/serverspec/openssl_server_spec.rb @@ -14,4 +14,16 @@ describe 'openssl/config.sls' do it { should be_running } end + describe file('/etc/ssh/sshd_config') do + it { should be_mode 600 } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + end + + describe file('/etc/ssh/ssh_config') do + it { should be_mode 600 } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + end + end From b3fd60f016497b83e761052a3c90f7d9877d27e8 Mon Sep 17 00:00:00 2001 From: Adam Mendlik Date: Fri, 24 Feb 2017 13:39:59 -0700 Subject: [PATCH 2/2] Test using default permissions for ssh_config --- .kitchen.yml | 1 - test/integration/default/serverspec/openssl_server_spec.rb | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index d7b7f75..fa97d23 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -23,7 +23,6 @@ provisioner: openssl.sls: openssh: sshd_config_mode: '600' - ssh_config_mode: '600' suites: - name: default diff --git a/test/integration/default/serverspec/openssl_server_spec.rb b/test/integration/default/serverspec/openssl_server_spec.rb index d4d5572..944b10b 100644 --- a/test/integration/default/serverspec/openssl_server_spec.rb +++ b/test/integration/default/serverspec/openssl_server_spec.rb @@ -21,7 +21,7 @@ describe 'openssl/config.sls' do end describe file('/etc/ssh/ssh_config') do - it { should be_mode 600 } + it { should be_mode 644 } it { should be_owned_by 'root' } it { should be_grouped_into 'root' } end