Hi Fabien
Seems, that I don't quite get, how to use this cookbook. Pretty complicated…
I'd like to have a cookbook/recipe or role named "hardened". There, I'd
like to set values, which makes a system "hardened". I already have a
"hardening" cookbook, which does other things (or, actually, also does SSHd
tweaking, but not yet with the openssh cookbook).
And I have another cookbook/recipe or role called "normal", with "normal"
values.
For example, in the "hardened" "situation", I'd like to have
PermitRootLogin no
while in the "normal" settings, there should be
PermitRootLogin without-password
(Just to cherry pick one sshd_config setting - there are also other
differences).
To invoke chef-solo, I execute:
/usr/bin/chef-solo -c /opt/kitchen.simpel/solo.rb -j
/opt/kitchen.simpel/nodes/mgmt01-test.json -E t1 -l debug
On https://bitbucket.org/alexs77/chef-with-openssh (or
https://bitbucket.org/alexs77/chef-with-openssh/get/master.tar.bz2),
there's what I have.
It works somewhat well so far, but I don't see how I can easily override
attributes from within a cookbook. As it is right now, I've added this to a
new *role" in my nodes file (→
https://bitbucket.org/alexs77/chef-with-openssh/src/fbdcea9768db40ab120f59ad3fc4d15ae8080877/opt/kitchen.simpel/nodes/mgmt01-test.json?at=master).
And in my roles files (→
https://bitbucket.org/alexs77/chef-with-openssh/src/fbdcea9768db40ab120f59ad3fc4d15ae8080877/opt/kitchen.simpel/roles/mgmt.json?at=master)
I set default values (in mgmt.json), which I partly override in
"hardened.json".
That's not quite what I'd want, as I have to make changes in a role file as
well (or have to remember to include it).
Could somebody please try to help again? 
Thanks a lot,
Alexander
2015-09-02 17:30 GMT+02:00 Fabien Delpierre fabien.delpierre@gmail.com:
Alexander,
The openssh cookbook is designed to accept any setting you add to your
Chef attributes. Most have presets if you look at the
attributes/default.rb file of the cookbook:
https://github.com/opscode-cookbooks/openssh/blob/master/attributes/default.rb
-- however most are commented. The sshd service itself has many defaults.Because Chef will manage the entire sshd_config file, you cannot simply
extend the config, like you asked; Chef will overwrite everything because
it just does a diff between the existing state and the desired state, so
anything that's not in the desired state will be removed. The cookbook and
sshd itself have sane presets but if you have an existing, tweaked config,
it's easy to lock yourself out of a node.
So the first thing you'll want to do is study your existing config and
compare it to the presets to correct any discrepancies.There are many ways of going about what you're asking. A typical solution
is to use a wrapper cookbook with a one-line recipe that simply reads:
include_recipe 'openssh::default'
Add all the openssh attributes you want in that wrapper cookbook's
attributes/default.rb, exactly as you see them formatted in the GitHub
link above, but change the settings you want, as needed. You can then add
that cookbook to your node's run list, and the next chef-client run will
apply those settings.
You could also use environments or roles to achieve the same result, but
some people will argue that you should just use cookbooks for everything
because they're versioned, which makes it easier to roll back if you mess
something up.At this point you might call your cookbook of universal sshd settings an
environment cookbook and apply it to all nodes early on in the run list. If
you need additional settings applied only to certain nodes, such as a Match
Group block, again there are many ways of doing that. You could add tThis is how I do it:
- I have a common set of sshd settings for all my nodes contained in a
role file. I just add that role to all the nodes. This is what that role
file looks like: name "openssh-ubuntu"description "Sets up OpenSSH using my preferred generic s - Pastebin.com- I have separate roles for subsets of nodes, here's just one example:
name "foo"description "Sets up foo nodes"default_attributes( "openssh" => - Pastebin.com -- as you can see it adds a couple of other
things to the nodes' run list, you certainly don't need that.
All of the above can be accomplished exclusively with cookbooks, and
again, some would suggest that you do it with cookbooks rather than roles
or environments, since cookbooks are versioned. Read this about that:
Role Cookbooks and Wrapper Cookbooks
http://blog.vialstudios.com/the-environment-cookbook-pattern/ is good
reading, too.On Wed, Sep 2, 2015 at 10:58 AM, Alexander Skwar <
alexanders.mailinglists+nospam@gmail.com> wrote:Hello Matt
Yes, I understand, that it is much more "Chef'fy" to put a COMPLETE
configuration file under Chef. But sometimes, that's not really doable.As FileEdit doesn't support my request, I worked around that and am not
using it for this taskReg. openssh cookbook. Cool!
We'd have a "generic" sshd_config for all hosts. Could I use this
cookbook to extend or change an existing sshd_config? For example, I'd
like to havePermitRootLogin without-password
But for certain hosts (or in certain other cookbooks or so), I'd like to
havePermitRootLogin no
Also, for some systems, I'd like to extend the sshd_config with a "Match
group" block (to allow or deny certain groups).Could I use the openssh-cookbook for this? Could you show me how?
Thanks a lot,
Alexander
2015-09-02 15:55 GMT+02:00 Matthew Moretti werebus@gmail.com:
Hello Alexander,
The general advice I’ve seen about using Chef to edit configuration
files is that you should generally avoid doing so if you can. If you have
the option of having Chef be the only entity that manages the file in
question, it’s much easier to put Chef in charge of the entire file and use
a file or template resource instead.In the case of ssshd_config, I’ve never had a complaint about the
openssh https://supermarket.chef.io/cookbooks/openssh cookbook which
uses attributes to build the whole config (nice for wrapper cookbooks,
environments, roles, etc.).To answer your actual question though, it doesn’t look like FileEdit
will append to the beginning of a file, no. If that’s definitely what you
want to do, you’ll probably have to break out some ruby_blocks
https://docs.chef.io/resource_ruby_block.html and use the slightly
lower-level ::File http://ruby-doc.org/core-2.2.0/File.html methods.Hope that helps.
Matt Moretti
On Thu, Aug 27, 2015 at 11:14 AM, Alexander Skwar
alexanders.mailinglists+nospam@gmail.com
http://mailto:alexanders.mailinglists+nospam@gmail.com wrote:Hello
With Chef 11.8.2 and FileEdit and the help of this list :), I've now
got a way to replace text in a file and use the captured text. As it
turned out, I'm not using the captured text at all… Oh, wellI am now replacing all old values in a config file (sshd_config, to be
exact). And when a certain config setting wasn't there at all, I
insert a line with the new setting. But it will get appended to the
file; it will be at the end of the file.That's (maybe…) a problem, as a sshd_config file might have a "Match
…" block at the end.Is there maybe an easy to way to add text to the BEGINNING of the file?
Here (or, for maybe better readability on
Chef - adding text to BEGINNING of file - how? - Pastebin.com) is, what I've got now:#############################################
SSH Parameter
{"Protocol" => "2", "LogLevel" => "INFO", "MaxAuthTries" => "4",
"IgnoreRhosts" => "yes", "HostbasedAuthentication" => "no",
"PermitRootLogin" => "no", "PermitEmptyPasswords" => "no", "Banner" =>
"/etc/issue.net"}.each do |param, value|
cfg_file = "/etc/ssh/sshd_config"replace_line_re = /^#{param}.*/ insert_line_text = replace_line_text = "#{param} #{value}" insert_line_re = /^#{replace_line_text}/ ruby_block "CIS: SSHd Parameter modifizieren. " + param + " => " +value do
block do
fe = Chef::Util::FileEdit.new(cfg_file)# Alte Werte durch neue Werte ersetzen fe.search_file_replace_line(replace_line_re,replace_line_text)
# Zeile mit neuem Wert am Ende der Datei einfügen - fallsnicht schon vorhanden
fe.insert_line_if_no_match(insert_line_re, insert_line_text)# Datei schreiben fe.write_file end # of block do notifies :reload, "service[ssh]", :delayed end # of ruby_block "CIS: SSHd Parameter modifizieren. " + param +" => " + value do
end # of {"Protocol" => "2", "LogLevel" => "INFO", "MaxAuthTries" =>
"4", "IgnoreRhosts" => "yes", "HostbasedAuthentication" => "no",
"PermitRootLogin" => "no", "PermitEmptyPasswords" => "no", "Banner" =>
"/etc/issue.net"}.each do |param, value|Thanks so much again,
Alexander
=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==
--
Alexander
=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==
--
Alexander
=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==