openssh-formula/test/integration/default/controls/config_spec.rb

# frozen_string_literal: true

# Overide by Platform
root_group =
  case platform[:family]
  when 'bsd'
    'wheel'
  else
    'root'
  end

github_known_host = 'github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
gitlab_known_host_re = /gitlab.com,[0-9a-f.:,]* ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA/
minion_rsa_known_host = 'minion.id,alias.of.minion.id ssh-rsa [...]'
minion_ed25519_known_host = 'minion.id,alias.of.minion.id ssh-ed25519 [...]'

control 'openssh configuration' do
  title 'should match desired lines'

  describe file('/etc/ssh/sshd_config') do
    it { should be_file }
    its('mode') { should cmp '0644' }
    it { should be_owned_by 'root' }
    it { should be_grouped_into root_group }
    its('content') { should include 'ChallengeResponseAuthentication no' }
    its('content') { should include 'X11Forwarding yes' }
    its('content') { should include 'PrintMotd no' }
    its('content') { should include 'AcceptEnv LANG LC_*' }
    its('content') { should include 'Subsystem sftp /usr/lib/openssh/sftp-server' }
    its('content') { should include 'UsePAM yes' }
  end

  describe file('/etc/ssh/ssh_config') do
    it { should be_file }
    its('mode') { should cmp '0644' }
    it { should be_owned_by 'root' }
    it { should be_grouped_into root_group }
    its('content') { should include 'Host *' }
    its('content') { should include '    GSSAPIAuthentication yes' }
    its('content') { should include '    HashKnownHosts yes' }
    its('content') { should include '    SendEnv LANG LC_*' }
  end

  describe file('/etc/ssh/ssh_known_hosts') do
    it { should be_file }
    its('mode') { should cmp '0644' }
    it { should be_owned_by 'root' }
    it { should be_grouped_into 'root' }
    its('content') { should include github_known_host }
    its('content') { should match(gitlab_known_host_re) }
    its('content') { should include minion_rsa_known_host }
    its('content') { should include minion_ed25519_known_host }
  end
end