Openssh Cookbook - why default attribute default = '*' - override?

Hello

In the openssh Cookbook from Supermarket @
supermarket.chef.io/cookbooks/openssh, the attributes file for the “client
section” contains this:

default[‘openssh’][‘client’][‘host’] = '*'
See github.com/chef-cookbooks/openssh/blob/master/attributes/default.rb#L57

​*Short question: How do I get rid of this, without having to modify the
openssh/attributes/default.rb file; ie. from my own cookbook, which
has a “include_recipe
"openssh"
” somewhere.*​

​Because of that, the generated /etc/ssh/ssh_config file contains at least
this:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *


Ie., there’s at least a “Host *” entry. And the way I have it now, all my
attributes are below that; ie. my ssh_config file reads:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
PubkeyAuthentication yes
VerifyHostKeyDNS no
#VerifyHostKeyDNS:No-SonstIstEsZuLangsam no
HostKeyAlgorithms ssh-rsa,ssh-dss
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

That’s not quite what I want. I don’t want that “Host *” line there.

Thanks a lot,

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==

Hi again

Hm. I guess, I’m doing something wrong… Now my ssh_config looks like this:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *
Host foo
PubkeyAuthentication no
HostKeyAlgorithms ssh-dss
Host bar
HostKeyAlgorithms ssh-dss
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
PubkeyAuthentication yes
VerifyHostKeyDNS no
#VerifyHostKeyDNS:No-SonstIstEsZuLangsam no
HostKeyAlgorithms ssh-rsa,ssh-dss
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

That’s clearly not, what I want.

In my own cookbook, I’ve got this attributes/default.rb file:

default[‘openssh’][‘client’][‘foo’] = {
‘pubkey_authentication’ => ‘no’,
‘host_key_algorithms’ => ‘ssh-dss’
}

default[‘openssh’][‘client’][‘bar’] = {
‘host_key_algorithms’ => ‘ssh-dss’
}

default[‘openssh’][‘client’][‘global_known_hosts_file’] =
’/var/lib/sss/pubconf/known_hosts’
default[‘openssh’][‘client’][‘pubkey_authentication’] = ‘yes’

default[‘openssh’][‘client’][‘verify_host_key_d_n_s’] = ‘no’
default[‘openssh’][‘client’][’#verify_host_key_d_n_s:no-_sonst_ist_es_zu_langsam’]
= ‘no’
default[‘openssh’][‘client’][‘host_key_algorithms’] = ‘ssh-rsa,ssh-dss’
default[‘openssh’][‘client’][‘proxy_command’] =
’/usr/bin/sss_ssh_knownhostsproxy -p %p %h’

#default[‘openssh’][‘client’][’*’] = {}

EOF

I would not have expected, that my “default” settings (eg. proxy_command to
take just one example) is below “Host bar”. As it is not in any Host hash,
I would’ve expected, that the setting would’ve been above all the "Host …"
blocks or maybe in the “Host *” block.

How to do it correctly?

When I move my “default lines” ABOVE all the “Host” lines (
default[‘openssh’][‘client’][‘foo’] and default[‘openssh’][‘client’][‘bar’]),
then the generated ssh_config is good. Don’t know, but that does not feel
right.

Regards,
Alexander

2015-09-22 16:37 GMT+02:00 Alexander Skwar <
alexanders.mailinglists+nospam@gmail.com>:

Hello

In the openssh Cookbook from Supermarket @
supermarket.chef.io/cookbooks/openssh, the attributes file for the
"client section" contains this:

default[‘openssh’][‘client’][‘host’] = '*'
See
github.com/chef-cookbooks/openssh/blob/master/attributes/default.rb#L57

​*Short question: How do I get rid of this, without having to modify the
openssh/attributes/default.rb file; ie. from my own cookbook, which has a “include_recipe
"openssh"
” somewhere.*​

​Because of that, the generated /etc/ssh/ssh_config file contains at least
this:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *


Ie., there’s at least a “Host *” entry. And the way I have it now, all my
attributes are below that; ie. my ssh_config file reads:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
PubkeyAuthentication yes
VerifyHostKeyDNS no
#VerifyHostKeyDNS:No-SonstIstEsZuLangsam no
HostKeyAlgorithms ssh-rsa,ssh-dss
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

That’s not quite what I want. I don’t want that “Host *” line there.

Thanks a lot,

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==

Alexander,

The order of things can matter in Chef, and the way the openssh cookbook
works is pretty simplistic. As far as the /etc/ssh/ssh_config file is
concerned, take a look at how it’s generated:


As you can see, it’s going to take each of the attributes you declare and
write them to the file. It’s logical that they would be listed in the file
in the same order you listed them in your attributes file. So this is one
instance where the order in which you list attributes can matter. It often
doesn’t matter. The cookbook is designed this way so it doesn’t have to
account for every possible configurable item supported by OpenSSH. You just
tell it what you need and it will write it into the file. The advantage is
that the cookbook won’t need an update if, in the future, versions of
OpenSSH are released that add new configurable parameters, so long as they
don’t break compatibility with the formatting of the /etc/ssh/ssh(d)_config
files.

On Tue, Sep 22, 2015 at 11:00 AM, Alexander Skwar <
alexanders.mailinglists+nospam@gmail.com> wrote:

Hi again

Hm. I guess, I’m doing something wrong… Now my ssh_config looks like this:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *
Host foo
PubkeyAuthentication no
HostKeyAlgorithms ssh-dss
Host bar
HostKeyAlgorithms ssh-dss
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
PubkeyAuthentication yes
VerifyHostKeyDNS no
#VerifyHostKeyDNS:No-SonstIstEsZuLangsam no
HostKeyAlgorithms ssh-rsa,ssh-dss
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

That’s clearly not, what I want.

In my own cookbook, I’ve got this attributes/default.rb file:

default[‘openssh’][‘client’][‘foo’] = {
‘pubkey_authentication’ => ‘no’,
‘host_key_algorithms’ => ‘ssh-dss’
}

default[‘openssh’][‘client’][‘bar’] = {
‘host_key_algorithms’ => ‘ssh-dss’
}

default[‘openssh’][‘client’][‘global_known_hosts_file’] =
’/var/lib/sss/pubconf/known_hosts’
default[‘openssh’][‘client’][‘pubkey_authentication’] = ‘yes’

default[‘openssh’][‘client’][‘verify_host_key_d_n_s’] = ‘no’
default[‘openssh’][‘client’][’#verify_host_key_d_n_s:no-_sonst_ist_es_zu_langsam’]
= ‘no’
default[‘openssh’][‘client’][‘host_key_algorithms’] = ‘ssh-rsa,ssh-dss’
default[‘openssh’][‘client’][‘proxy_command’] =
’/usr/bin/sss_ssh_knownhostsproxy -p %p %h’

#default[‘openssh’][‘client’][’*’] = {}

EOF

I would not have expected, that my “default” settings (eg. proxy_command to
take just one example) is below “Host bar”. As it is not in any Host
hash, I would’ve expected, that the setting would’ve been above all the
"Host …" blocks or maybe in the “Host *” block.

How to do it correctly?

When I move my “default lines” ABOVE all the “Host” lines (
default[‘openssh’][‘client’][‘foo’] and
default[‘openssh’][‘client’][‘bar’]), then the generated ssh_config is
good. Don’t know, but that does not feel right.

Regards,
Alexander

2015-09-22 16:37 GMT+02:00 Alexander Skwar <
alexanders.mailinglists+nospam@gmail.com>:

Hello

In the openssh Cookbook from Supermarket @
supermarket.chef.io/cookbooks/openssh, the attributes file for the
"client section" contains this:

default[‘openssh’][‘client’][‘host’] = '*'
See
github.com/chef-cookbooks/openssh/blob/master/attributes/default.rb#L57

​*Short question: How do I get rid of this, without having to modify the
openssh/attributes/default.rb file; ie. from my own cookbook, which has a “include_recipe
"openssh"
” somewhere.*​

​Because of that, the generated /etc/ssh/ssh_config file contains at
least this:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *


Ie., there’s at least a “Host *” entry. And the way I have it now, all
my attributes are below that; ie. my ssh_config file reads:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
PubkeyAuthentication yes
VerifyHostKeyDNS no
#VerifyHostKeyDNS:No-SonstIstEsZuLangsam no
HostKeyAlgorithms ssh-rsa,ssh-dss
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

That’s not quite what I want. I don’t want that “Host *” line there.

Thanks a lot,

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==

Hi Fabien

Okay, thanks a lot. So I have to take care to list things in the right
order. Understood.

Cheers,
Alexander

2015-09-22 17:43 GMT+02:00 Fabien Delpierre fabien.delpierre@gmail.com:

Alexander,

The order of things can matter in Chef, and the way the openssh cookbook
works is pretty simplistic. As far as the /etc/ssh/ssh_config file is
concerned, take a look at how it’s generated:

https://github.com/chef-cookbooks/openssh/blob/master/templates/default/ssh_config.erb
As you can see, it’s going to take each of the attributes you declare and
write them to the file. It’s logical that they would be listed in the file
in the same order you listed them in your attributes file. So this is one
instance where the order in which you list attributes can matter. It often
doesn’t matter. The cookbook is designed this way so it doesn’t have to
account for every possible configurable item supported by OpenSSH. You just
tell it what you need and it will write it into the file. The advantage is
that the cookbook won’t need an update if, in the future, versions of
OpenSSH are released that add new configurable parameters, so long as they
don’t break compatibility with the formatting of the /etc/ssh/ssh(d)_config
files.

On Tue, Sep 22, 2015 at 11:00 AM, Alexander Skwar <
alexanders.mailinglists+nospam@gmail.com> wrote:

Hi again

Hm. I guess, I’m doing something wrong… Now my ssh_config looks like this:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *
Host foo
PubkeyAuthentication no
HostKeyAlgorithms ssh-dss
Host bar
HostKeyAlgorithms ssh-dss
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
PubkeyAuthentication yes
VerifyHostKeyDNS no
#VerifyHostKeyDNS:No-SonstIstEsZuLangsam no
HostKeyAlgorithms ssh-rsa,ssh-dss
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

That’s clearly not, what I want.

In my own cookbook, I’ve got this attributes/default.rb file:

default[‘openssh’][‘client’][‘foo’] = {
‘pubkey_authentication’ => ‘no’,
‘host_key_algorithms’ => ‘ssh-dss’
}

default[‘openssh’][‘client’][‘bar’] = {
‘host_key_algorithms’ => ‘ssh-dss’
}

default[‘openssh’][‘client’][‘global_known_hosts_file’] =
’/var/lib/sss/pubconf/known_hosts’
default[‘openssh’][‘client’][‘pubkey_authentication’] = ‘yes’

default[‘openssh’][‘client’][‘verify_host_key_d_n_s’] = ‘no’
default[‘openssh’][‘client’][’#verify_host_key_d_n_s:no-_sonst_ist_es_zu_langsam’]
= ‘no’
default[‘openssh’][‘client’][‘host_key_algorithms’] = ‘ssh-rsa,ssh-dss’
default[‘openssh’][‘client’][‘proxy_command’] =
’/usr/bin/sss_ssh_knownhostsproxy -p %p %h’

#default[‘openssh’][‘client’][’*’] = {}

EOF

I would not have expected, that my “default” settings (eg. proxy_command to
take just one example) is below “Host bar”. As it is not in any Host
hash, I would’ve expected, that the setting would’ve been above all the
"Host …" blocks or maybe in the “Host *” block.

How to do it correctly?

When I move my “default lines” ABOVE all the “Host” lines (
default[‘openssh’][‘client’][‘foo’] and
default[‘openssh’][‘client’][‘bar’]), then the generated ssh_config is
good. Don’t know, but that does not feel right.

Regards,
Alexander

2015-09-22 16:37 GMT+02:00 Alexander Skwar <
alexanders.mailinglists+nospam@gmail.com>:

Hello

In the openssh Cookbook from Supermarket @
supermarket.chef.io/cookbooks/openssh, the attributes file for the
"client section" contains this:

default[‘openssh’][‘client’][‘host’] = '*'
See
github.com/chef-cookbooks/openssh/blob/master/attributes/default.rb#L57

​*Short question: How do I get rid of this, without having to modify
the openssh/attributes/default.rb file; ie. from my own cookbook, which has
a “include_recipe “openssh”” somewhere.*​

​Because of that, the generated /etc/ssh/ssh_config file contains at
least this:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *


Ie., there’s at least a “Host *” entry. And the way I have it now, all
my attributes are below that; ie. my ssh_config file reads:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
PubkeyAuthentication yes
VerifyHostKeyDNS no
#VerifyHostKeyDNS:No-SonstIstEsZuLangsam no
HostKeyAlgorithms ssh-rsa,ssh-dss
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

That’s not quite what I want. I don’t want that “Host *” line there.

Thanks a lot,

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==

To just answer: in your wrapper cookbook, override the value with what
you wish like this for example:

default[‘openssh’][‘client’][‘host’] = ‘*.my.domain’

The attribute will be update before the recipe is evaluated, and it will
update the file accordingly.

What I don’t understand is why you don’t wish a Host * in your
ssh_config.

It is to declare the defaults value for all hosts, until another “Host
something” entry is found which in turn could update settings with
specific values for the “something” pattern.

I’m even unsure keywords before a Host line will be used by the ssh
client.

Le 2015-09-22 16:37, Alexander Skwar a écrit :

Hello

In the openssh Cookbook from Supermarket @ supermarket.chef.io/cookbooks/openssh [2], the attributes file for the “client section” contains this:

default[‘openssh’][‘client’][‘host’] = ‘*’

See github.com/chef-cookbooks/openssh/blob/master/attributes/default.rb#L57 [3]

​SHORT QUESTION: HOW DO I GET RID OF THIS, WITHOUT HAVING TO MODIFY THE OPENSSH/ATTRIBUTES/DEFAULT.RB FILE; IE. FROM MY OWN COOKBOOK, WHICH HAS A “INCLUDE_RECIPE “OPENSSH”” SOMEWHERE.​

​Because of that, the generated /etc/ssh/ssh_config file contains at least this:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *


Ie., there’s at least a “Host *” entry. And the way I have it now, all my attributes are below that; ie. my ssh_config file reads:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *

GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts

PubkeyAuthentication yes

VerifyHostKeyDNS no

#VerifyHostKeyDNS:No-SonstIstEsZuLangsam no

HostKeyAlgorithms ssh-rsa,ssh-dss

ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

That’s not quite what I want. I don’t want that “Host *” line there.

Thanks a lot,

Alexander

=> GOOGLE+ => http://plus.skwar.me [1] <==
=> CHAT (Jabber/Google Talk) => a.skwar@gmail.com <==

Links:

[1] http://plus.skwar.me/
[2] https://supermarket.chef.io/cookbooks/openssh
[3]
https://github.com/chef-cookbooks/openssh/blob/master/attributes/default.rb#L57

Quick version: Set your defaults attributes before the other Hashes as
the template will read in the order of appearance (declaration)

In my opinion a better way would be to do this:

default[‘openssh’][‘client’][’*’] = {

‘global_known_hosts_file’ = ‘/var/lib/sss/pubconf/known_hosts’

‘pubkey_authentication’ = ‘yes’

‘verify_host_key_d_n_s’ = ‘no’

‘#verify_host_key_d_n_s:no-_sonst_ist_es_zu_langsam’] = ‘no’

‘host_key_algorithms’ = ‘ssh-rsa,ssh-dss’

‘proxy_command’ = ‘/usr/bin/sss_ssh_knownhostsproxy -p %p %h’
}

default[‘openssh’][‘client’][‘foo’] = {

‘pubkey_authentication’ => ‘no’,

‘host_key_algorithms’ => ‘ssh-dss’

}

default[‘openssh’][‘client’][‘bar’] = {

‘host_key_algorithms’ => ‘ssh-dss’

}

The template for ssh_config[1] iterate over the key just under 'client’
and build the values accordingly.

[1]

Le 2015-09-22 17:00, Alexander Skwar a écrit :

Hi again

Hm. I guess, I’m doing something wrong… Now my ssh_config looks like this:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *

Host foo

PubkeyAuthentication no

HostKeyAlgorithms ssh-dss

Host bar

HostKeyAlgorithms ssh-dss

GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts

PubkeyAuthentication yes

VerifyHostKeyDNS no

#VerifyHostKeyDNS:No-SonstIstEsZuLangsam no

HostKeyAlgorithms ssh-rsa,ssh-dss

ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

That’s clearly not, what I want.

In my own cookbook, I’ve got this attributes/default.rb file:

default[‘openssh’][‘client’][‘foo’] = {

‘pubkey_authentication’ => ‘no’,

‘host_key_algorithms’ => ‘ssh-dss’

}

default[‘openssh’][‘client’][‘bar’] = {

‘host_key_algorithms’ => ‘ssh-dss’

}

default[‘openssh’][‘client’][‘global_known_hosts_file’] = ‘/var/lib/sss/pubconf/known_hosts’

default[‘openssh’][‘client’][‘pubkey_authentication’] = ‘yes’

default[‘openssh’][‘client’][‘verify_host_key_d_n_s’] = ‘no’

default[‘openssh’][‘client’][’#verify_host_key_d_n_s:no-_sonst_ist_es_zu_langsam’] = ‘no’

default[‘openssh’][‘client’][‘host_key_algorithms’] = ‘ssh-rsa,ssh-dss’

default[‘openssh’][‘client’][‘proxy_command’] = ‘/usr/bin/sss_ssh_knownhostsproxy -p %p %h’

#default[‘openssh’][‘client’][’*’] = {}

EOF

I would not have expected, that my “default” settings (eg. proxy_command to take just one example) is below “Host bar”. As it is not in any Host hash, I would’ve expected, that the setting would’ve been above all the “Host …” blocks or maybe in the “Host *” block.

How to do it correctly?

When I move my “default lines” ABOVE all the “Host” lines (default[‘openssh’][‘client’][‘foo’] and default[‘openssh’][‘client’][‘bar’]), then the generated ssh_config is good. Don’t know, but that does not feel right.

Regards,
Alexander

2015-09-22 16:37 GMT+02:00 Alexander Skwar alexanders.mailinglists+nospam@gmail.com:

Hello

In the openssh Cookbook from Supermarket @ supermarket.chef.io/cookbooks/openssh [2], the attributes file for the “client section” contains this:

default[‘openssh’][‘client’][‘host’] = ‘*’

See github.com/chef-cookbooks/openssh/blob/master/attributes/default.rb#L57 [3]

​SHORT QUESTION: HOW DO I GET RID OF THIS, WITHOUT HAVING TO MODIFY THE OPENSSH/ATTRIBUTES/DEFAULT.RB FILE; IE. FROM MY OWN COOKBOOK, WHICH HAS A “INCLUDE_RECIPE “OPENSSH”” SOMEWHERE.​

​Because of that, the generated /etc/ssh/ssh_config file contains at least this:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *

Ie., there’s at least a “Host *” entry. And the way I have it now, all my attributes are below that; ie. my ssh_config file reads:

$ cat /etc/ssh/ssh_config

This file was generated by Chef for host

Do NOT modify this file by hand!

Host *

GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts

PubkeyAuthentication yes

VerifyHostKeyDNS no

#VerifyHostKeyDNS:No-SonstIstEsZuLangsam no

HostKeyAlgorithms ssh-rsa,ssh-dss

ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

That’s not quite what I want. I don’t want that “Host *” line there.

Thanks a lot,

Alexander

=> GOOGLE+ => http://plus.skwar.me [1] <==
=> CHAT (Jabber/Google Talk) => a.skwar@gmail.com <==

Alexander

=> GOOGLE+ => http://plus.skwar.me [1] <==
=> CHAT (Jabber/Google Talk) => a.skwar@gmail.com <==

Links:

[1] http://plus.skwar.me/
[2] https://supermarket.chef.io/cookbooks/openssh
[3]
https://github.com/chef-cookbooks/openssh/blob/master/attributes/default.rb#L57