From 06ef24b8e15a8c27433c639846d88d11835209ec Mon Sep 17 00:00:00 2001 From: Daniel Dehennin Date: Tue, 21 Jul 2020 10:52:03 +0200 Subject: [PATCH 1/3] test(config_spec): verify /etc/ssh/ssh_known_hosts --- test/integration/default/controls/config_spec.rb | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/test/integration/default/controls/config_spec.rb b/test/integration/default/controls/config_spec.rb index 283c059..5a9ac25 100644 --- a/test/integration/default/controls/config_spec.rb +++ b/test/integration/default/controls/config_spec.rb @@ -9,6 +9,11 @@ root_group = 'root' end +github_known_host = 'github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]' +gitlab_known_host_re = /gitlab.com,[0-9a-f.:,]* ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA/ +minion_rsa_known_host = 'minion.id,alias.of.minion.id ssh-rsa [...]' +minion_ed25519_known_host = 'minion.id,alias.of.minion.id ssh-ed25519 [...]' + control 'openssh configuration' do title 'should match desired lines' @@ -35,4 +40,15 @@ control 'openssh configuration' do its('content') { should include ' HashKnownHosts yes' } its('content') { should include ' SendEnv LANG LC_*' } end + + describe file('/etc/ssh/ssh_known_hosts') do + it { should be_file } + its('mode') { should cmp '0644' } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + its('content') { should include github_known_host } + its('content') { should match(gitlab_known_host_re) } + its('content') { should include minion_rsa_known_host } + its('content') { should include minion_ed25519_known_host } + end end From 644e61651d1cee2bc6ea9f7fdc5a7a51ffe342ff Mon Sep 17 00:00:00 2001 From: Daniel Dehennin Date: Tue, 21 Jul 2020 10:52:32 +0200 Subject: [PATCH 2/3] ci(kitchen): execute `openssh.known_hosts` state --- kitchen.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/kitchen.yml b/kitchen.yml index d221fde..1e6ff42 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -154,6 +154,7 @@ suites: base: '*': - openssh.config + - openssh.known_hosts pillars: top.sls: base: From 0b667cbcf5e6560d3e92dc5d36b6649c629bfcd7 Mon Sep 17 00:00:00 2001 From: Daniel Dehennin Date: Tue, 21 Jul 2020 11:49:22 +0200 Subject: [PATCH 3/3] fix(known_hosts): dig package does not install on Arch The conditionnal on `ensure dig is available` does not work on Arch since the `which` command does not exists. As the `pkg.installed` state is idempotent, we don't need an extra check which depends on the environment. The `dig` utility is provided by `bind` on Arch and no more by `bind-tools`. --- openssh/known_hosts.sls | 1 - openssh/osfamilymap.yaml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/openssh/known_hosts.sls b/openssh/known_hosts.sls index db0e267..c196707 100644 --- a/openssh/known_hosts.sls +++ b/openssh/known_hosts.sls @@ -5,7 +5,6 @@ ensure dig is available: pkg.installed: - name: {{ openssh.dig_pkg }} - - unless: which dig manage ssh_known_hosts file: file.managed: diff --git a/openssh/osfamilymap.yaml b/openssh/osfamilymap.yaml index 3d98529..ca9e564 100644 --- a/openssh/osfamilymap.yaml +++ b/openssh/osfamilymap.yaml @@ -6,7 +6,7 @@ Arch: server: openssh client: openssh service: sshd - dig_pkg: bind-tools + dig_pkg: bind sshd_config: Subsystem: sftp /usr/lib/ssh/sftp-server