How to run inspec exec with ssh


#1

Hi

if I use the example in the exec section of this page https://docs.chef.io/ctl_inspec.html
in other works inspec exec testdir -t ssh://userID@internal-svr.gci.com OR inspec exec testdir/controls/test.rb -t ssh://userID@internal-svr.gci.com What I get is:

$ inspec exec base -t ssh://someuser@somewhere.gci.com
/opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/r-train-0.10.0/lib/train/transports/ssh.rb:84:in validate_options': You must configure at least one authentication method for SSH: Password or key. (Train::ClientError) from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/r-train-0.10.0/lib/train/transports/ssh.rb:67:inconnection’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/inspec-0.14.2/lib/inspec/backend.rb:23:in create' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/inspec-0.14.2/lib/inspec/runner.rb:46:inconfigure_transport’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/inspec-0.14.2/lib/inspec/runner.rb:30:in initialize' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/inspec-0.14.2/lib/utils/base_cli.rb:50:innew’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/inspec-0.14.2/lib/utils/base_cli.rb:50:in run_tests' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/inspec-0.14.2/bin/inspec:110:inexec’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/command.rb:27:in run' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:ininvoke_command’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor.rb:359:in dispatch' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/base.rb:440:instart’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/inspec-0.14.2/bin/inspec:166:in <top (required)>' from /opt/chefdk/embedded/bin/inspec:22:inload’
from /opt/chefdk/embedded/bin/inspec:22:in `’

I’m getting derailed here. The page referenced above doesn’t mention any configuration of authentication methods or of Train. I looked at the Train page on github and didn’t find it helpful for my problem. Any help is most appreciated.


#2

@AnotherNerdHere Thanks for highlighting that issue. Looks like you got an older version of InSpec because the newer versions output what is missing

$ inspec exec mytest.rb -t ssh://user@host
Client error, can't connect to 'ssh' backend: You must configure at least one authentication method for SSH: Password or key.
$ inspec help exec
Usage:
  inspec exec PATHS

Options:
      [--id=ID]                            # Attach a profile ID to all test results
  t, [--target=TARGET]                     # Simple targeting option using URIs, e.g. ssh://user:pass@host:port
  b, [--backend=BACKEND]                   # Choose a backend: local, ssh, winrm, docker.
      [--host=HOST]                        # Specify a remote host which is tested.
  p, [--port=N]                            # Specify the login port for a remote scan.
      [--user=USER]                        # The login user for a remote scan.
      [--password=PASSWORD]                # Login password for a remote scan, if required.
  i, [--key-files=one two three]           # Login key or certificate file for a remote scan.
      [--path=PATH]                        # Login path to use when connecting to the target (WinRM).
      [--sudo], [--no-sudo]                # Run scans with sudo. Only activates on Unix and non-root user.
      [--sudo-password=SUDO_PASSWORD]      # Specify a sudo password, if it is required.
      [--sudo-options=SUDO_OPTIONS]        # Additional sudo options for a remote scan.
      [--ssl], [--no-ssl]                  # Use SSL for transport layer encryption (WinRM).
      [--self-signed], [--no-self-signed]  # Allow remote scans with self-signed certificates (WinRM).
      [--json-config=JSON_CONFIG]          # Read configuration from JSON file (`-` reads from stdin).
  l, [--log-level=LOG_LEVEL]               # Set the log level: info (default), debug, warn, error
      [--profiles-path=PROFILES_PATH]      # Folder which contains referenced profiles.
      [--controls=one two three]           # A list of controls to run. Ignore all other tests.
      [--format=FORMAT]                    # Which formatter to use: progress, documentation, json
      [--color], [--no-color]              # Use colors in output.
                                           # Default: true
      [--diagnose], [--no-diagnose]        # Show diagnostics (versions, configurations)

run all test files at the specified PATH.

In your case you need either the --password or --key-files to give InSpec a chance to authenticate with the SSH server. Please let me know if that worked.


#3

Thanks Chris. I have the version that came with the latest chefdk when we (GCI) were in Seattle for training at the beginning of March. Ok noob-ish question how do I update inspec or other pieces of the chefdk.

just for the record, I have:
chefdk-0.11.2-1
Test Kitchen version 1.5.0
inspec version 0.14.2
rspec 3.4.3
berks 4.2.0

Thanks,
Greg.


#4

The best idea is to install the latest chef-dk. If thats not possible or a newer version has not released, I recommend to use:

$ chef exec gem list | grep inspec
inspec (0.14.7)
kitchen-inspec (0.12.3)
$ chef exec gem uninstall inspec kitchen-inspec
Successfully uninstalled kitchen-inspec-0.12.3
Remove executables:
	inspec

in addition to the gem? [Yn]  y
Removing inspec
Successfully uninstalled inspec-0.14.7
$ chef exec gem install inspec kitchen-inspec 
Fetching: r-train-0.10.4.gem (100%)
Successfully installed r-train-0.10.4
Fetching: inspec-0.17.1.gem (100%)
Successfully installed inspec-0.17.1
Fetching: kitchen-inspec-0.12.5.gem (100%)
Successfully installed kitchen-inspec-0.12.5
3 gems installed
$ chef exec gem list | grep inspec             
inspec (0.17.1)
kitchen-inspec (0.12.5)

#5

Thanks @chris-rock. It looks like I have an older chefdk. I guess its time for an uninstall / re-install