# frozen_string_literal: true # Overide by Platform root_group = case platform[:family] when 'bsd' 'wheel' else 'root' end github_known_host = 'github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]' gitlab_known_host_re = /gitlab.com,[0-9a-f.:,]* ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA/ minion_rsa_known_host = 'minion.id,alias.of.minion.id ssh-rsa [...]' minion_ed25519_known_host = 'minion.id,alias.of.minion.id ssh-ed25519 [...]' control 'openssh configuration' do title 'should match desired lines' describe file('/etc/ssh/sshd_config') do it { should be_file } its('mode') { should cmp '0644' } it { should be_owned_by 'root' } it { should be_grouped_into root_group } its('content') { should include 'ChallengeResponseAuthentication no' } its('content') { should include 'X11Forwarding yes' } its('content') { should include 'PrintMotd no' } its('content') { should include 'AcceptEnv LANG LC_*' } its('content') { should include 'Subsystem sftp /usr/lib/openssh/sftp-server' } unless %w[openbsd].include?(platform[:name]) its('content') { should include 'UsePAM yes' } end end describe file('/etc/ssh/ssh_config') do it { should be_file } its('mode') { should cmp '0644' } it { should be_owned_by 'root' } it { should be_grouped_into root_group } its('content') { should include 'Host *' } its('content') { should include ' GSSAPIAuthentication yes' } its('content') { should include ' HashKnownHosts yes' } its('content') { should include ' SendEnv LANG LC_*' } end describe file('/etc/ssh/ssh_known_hosts') do it { should be_file } its('mode') { should cmp '0644' } it { should be_owned_by 'root' } it { should be_grouped_into root_group } its('content') { should include github_known_host } its('content') { should match(gitlab_known_host_re) } its('content') { should include minion_rsa_known_host } its('content') { should include minion_ed25519_known_host } end end