Re: Re: openssh-cookbook - extending sshd_config?

Hi Fabien

Seems, that I don’t quite get, how to use this cookbook. Pretty complicated…

I’d like to have a cookbook/recipe or role named “hardened”. There, I’d
like to set values, which makes a system “hardened”. I already have a
"hardening" cookbook, which does other things (or, actually, also does SSHd
tweaking, but not yet with the openssh cookbook).

And I have another cookbook/recipe or role called “normal”, with "normal"
values.

For example, in the “hardened” “situation”, I’d like to have

PermitRootLogin no

while in the “normal” settings, there should be

PermitRootLogin without-password

(Just to cherry pick one sshd_config setting - there are also other
differences).

To invoke chef-solo, I execute:

/usr/bin/chef-solo -c /opt/kitchen.simpel/solo.rb -j
/opt/kitchen.simpel/nodes/mgmt01-test.json -E t1 -l debug

On https://bitbucket.org/alexs77/chef-with-openssh (or
https://bitbucket.org/alexs77/chef-with-openssh/get/master.tar.bz2),
there’s what I have.

It works somewhat well so far, but I don’t see how I can easily override
attributes from within a cookbook. As it is right now, I’ve added this to a
new *role" in my nodes file (→
https://bitbucket.org/alexs77/chef-with-openssh/src/fbdcea9768db40ab120f59ad3fc4d15ae8080877/opt/kitchen.simpel/nodes/mgmt01-test.json?at=master).
And in my roles files (→
https://bitbucket.org/alexs77/chef-with-openssh/src/fbdcea9768db40ab120f59ad3fc4d15ae8080877/opt/kitchen.simpel/roles/mgmt.json?at=master)
I set default values (in mgmt.json), which I partly override in
"hardened.json".

That’s not quite what I’d want, as I have to make changes in a role file as
well (or have to remember to include it).

Could somebody please try to help again? :slight_smile:

Thanks a lot,
Alexander

2015-09-02 17:30 GMT+02:00 Fabien Delpierre fabien.delpierre@gmail.com:

Alexander,

The openssh cookbook is designed to accept any setting you add to your
Chef attributes. Most have presets if you look at the
attributes/default.rb file of the cookbook:
https://github.com/opscode-cookbooks/openssh/blob/master/attributes/default.rb
– however most are commented. The sshd service itself has many defaults.

Because Chef will manage the entire sshd_config file, you cannot simply
extend the config, like you asked; Chef will overwrite everything because
it just does a diff between the existing state and the desired state, so
anything that’s not in the desired state will be removed. The cookbook and
sshd itself have sane presets but if you have an existing, tweaked config,
it’s easy to lock yourself out of a node.
So the first thing you’ll want to do is study your existing config and
compare it to the presets to correct any discrepancies.

There are many ways of going about what you’re asking. A typical solution
is to use a wrapper cookbook with a one-line recipe that simply reads:
include_recipe 'openssh::default’
Add all the openssh attributes you want in that wrapper cookbook’s
attributes/default.rb, exactly as you see them formatted in the GitHub
link above, but change the settings you want, as needed. You can then add
that cookbook to your node’s run list, and the next chef-client run will
apply those settings.
You could also use environments or roles to achieve the same result, but
some people will argue that you should just use cookbooks for everything
because they’re versioned, which makes it easier to roll back if you mess
something up.

At this point you might call your cookbook of universal sshd settings an
environment cookbook and apply it to all nodes early on in the run list. If
you need additional settings applied only to certain nodes, such as a Match
Group block, again there are many ways of doing that. You could add t

This is how I do it:

  1. I have a common set of sshd settings for all my nodes contained in a
    role file. I just add that role to all the nodes. This is what that role
    file looks like: http://pastebin.com/GCUFL9Jd
  2. I have separate roles for subsets of nodes, here’s just one example:
    http://pastebin.com/NxUkAEUy – as you can see it adds a couple of other
    things to the nodes’ run list, you certainly don’t need that.
    All of the above can be accomplished exclusively with cookbooks, and
    again, some would suggest that you do it with cookbooks rather than roles
    or environments, since cookbooks are versioned. Read this about that:
    http://realityforge.org/code/2012/11/19/role-cookbooks-and-wrapper-cookbooks.html
    http://blog.vialstudios.com/the-environment-cookbook-pattern/ is good
    reading, too.

On Wed, Sep 2, 2015 at 10:58 AM, Alexander Skwar <
alexanders.mailinglists+nospam@gmail.com> wrote:

​Hello Matt

Yes, I understand, that it is much more “Chef’fy” to put a COMPLETE
configuration file under Chef. But sometimes, that’s not really doable.

As FileEdit doesn’t support my request, I worked around that and am not
using it for this task :wink:

Reg. openssh cookbook. Cool!

We’d have a “generic” sshd_config for all hosts. Could I use this
cookbook to extend or change an existing sshd_config? For example, I’d
like to have

PermitRootLogin without-password

But for certain hosts (or in certain other cookbooks or so), I’d like to
have

PermitRootLogin no

Also, for some systems, I’d like to extend the sshd_config with a “Match
group” block (to allow or deny certain groups).

Could I use the openssh-cookbook for this? Could you show me how?

Thanks a lot,
Alexander

​​

2015-09-02 15:55 GMT+02:00 Matthew Moretti werebus@gmail.com:

Hello Alexander,

The general advice I’ve seen about using Chef to edit configuration
files is that you should generally avoid doing so if you can. If you have
the option of having Chef be the only entity that manages the file in
question, it’s much easier to put Chef in charge of the entire file and use
a file or template resource instead.

In the case of ssshd_config, I’ve never had a complaint about the
openssh https://supermarket.chef.io/cookbooks/openssh cookbook which
uses attributes to build the whole config (nice for wrapper cookbooks,
environments, roles, etc.).

To answer your actual question though, it doesn’t look like FileEdit
will append to the beginning of a file, no. If that’s definitely what you
want to do, you’ll probably have to break out some ruby_blocks
https://docs.chef.io/resource_ruby_block.html and use the slightly
lower-level ::File http://ruby-doc.org/core-2.2.0/File.html methods.

Hope that helps.

Matt Moretti

On Thu, Aug 27, 2015 at 11:14 AM, Alexander Skwar
alexanders.mailinglists+nospam@gmail.com
http://mailto:alexanders.mailinglists+nospam@gmail.com wrote:

Hello

With Chef 11.8.2 and FileEdit and the help of this list :), I’ve now
got a way to replace text in a file and use the captured text. As it
turned out, I’m not using the captured text at all… Oh, well :slight_smile:

I am now replacing all old values in a config file (sshd_config, to be
exact). And when a certain config setting wasn’t there at all, I
insert a line with the new setting. But it will get appended to the
file; it will be at the end of the file.

That’s (maybe…) a problem, as a sshd_config file might have a “Match
…” block at the end.

Is there maybe an easy to way to add text to the BEGINNING of the file?
:slight_smile:

Here (or, for maybe better readability on
http://pastebin.com/1QWfsnFZ) is, what I’ve got now:

#############################################

SSH Parameter

{“Protocol” => “2”, “LogLevel” => “INFO”, “MaxAuthTries” => “4”,
“IgnoreRhosts” => “yes”, “HostbasedAuthentication” => “no”,
“PermitRootLogin” => “no”, “PermitEmptyPasswords” => “no”, “Banner” =>
"/etc/issue.net"}.each do |param, value|
cfg_file = “/etc/ssh/sshd_config”

replace_line_re = /^#{param}.*/
insert_line_text = replace_line_text = "#{param} #{value}"
insert_line_re = /^#{replace_line_text}/

ruby_block "CIS: SSHd Parameter modifizieren. " + param + " => " +

value do
block do
fe = Chef::Util::FileEdit.new(cfg_file)

        # Alte Werte durch neue Werte ersetzen
        fe.search_file_replace_line(replace_line_re,

replace_line_text)

        # Zeile mit neuem Wert am Ende der Datei einfügen - falls

nicht schon vorhanden
fe.insert_line_if_no_match(insert_line_re, insert_line_text)

        # Datei schreiben
        fe.write_file
    end # of block do
    notifies :reload, "service[ssh]", :delayed
end # of ruby_block "CIS: SSHd Parameter modifizieren. " + param +

" => " + value do
end # of {“Protocol” => “2”, “LogLevel” => “INFO”, “MaxAuthTries” =>
“4”, “IgnoreRhosts” => “yes”, “HostbasedAuthentication” => “no”,
“PermitRootLogin” => “no”, “PermitEmptyPasswords” => “no”, “Banner” =>
"/etc/issue.net"}.each do |param, value|

Thanks so much again,

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==

So, in your ‘normal’ cookbook, you could add an attributes/openssh.rb file
(you can call it whatever you want) and add the following line in it:
default[‘openssh’][‘server’][‘permit_root_login’] = 'without-password’
Along with any of the other options you wish to set across all your nodes
for OpenSSH.

And in your ‘hardened’ cookbook, add another attributes/openssh.rb file and
put the following line in it:
default[‘openssh’][‘server’][‘permit_root_login’] = 'no’
Again, along with any of the other options you wish to set across your
"hardened" nodes.

Then add the ‘normal’ cookbook to all your nodes’ run list. For hardened
nodes, also add the ‘hardened’ cookbook, after the ‘normal’ cookbook in
the run list order. If a certain attribute exists in both
normal/attributes/openssh.rb and hardened/attributes/openssh.rb, the values
stored in the cookbook that’s second/latest in the run list will be applied.

That’s one way to do it, no need for roles.

You can also separate the two cookbooks completely, so that ‘hardened’ can
be used independently, but then that means you have to maintain two
separate cookbooks when you want to change an OpenSSH setting.

On Fri, Sep 4, 2015 at 10:45 AM, Alexander Skwar <
alexanders.mailinglists+nospam@gmail.com> wrote:

Hi Fabien

Seems, that I don’t quite get, how to use this cookbook. Pretty
complicated…

I’d like to have a cookbook/recipe or role named “hardened”. There, I’d
like to set values, which makes a system “hardened”. I already have a
"hardening" cookbook, which does other things (or, actually, also does SSHd
tweaking, but not yet with the openssh cookbook).

And I have another cookbook/recipe or role called “normal”, with "normal"
values.

For example, in the “hardened” “situation”, I’d like to have

PermitRootLogin no

while in the “normal” settings, there should be

PermitRootLogin without-password

(Just to cherry pick one sshd_config setting - there are also other
differences).

To invoke chef-solo, I execute:

/usr/bin/chef-solo -c /opt/kitchen.simpel/solo.rb -j
/opt/kitchen.simpel/nodes/mgmt01-test.json -E t1 -l debug

On https://bitbucket.org/alexs77/chef-with-openssh (or
https://bitbucket.org/alexs77/chef-with-openssh/get/master.tar.bz2),
there’s what I have.

It works somewhat well so far, but I don’t see how I can easily override
attributes from within a cookbook. As it is right now, I’ve added this to a
new *role" in my nodes file (→
https://bitbucket.org/alexs77/chef-with-openssh/src/fbdcea9768db40ab120f59ad3fc4d15ae8080877/opt/kitchen.simpel/nodes/mgmt01-test.json?at=master).
And in my roles files (→
https://bitbucket.org/alexs77/chef-with-openssh/src/fbdcea9768db40ab120f59ad3fc4d15ae8080877/opt/kitchen.simpel/roles/mgmt.json?at=master)
I set default values (in mgmt.json), which I partly override in
"hardened.json".

That’s not quite what I’d want, as I have to make changes in a role file
as well (or have to remember to include it).

Could somebody please try to help again? :slight_smile:

Thanks a lot,
Alexander

2015-09-02 17:30 GMT+02:00 Fabien Delpierre fabien.delpierre@gmail.com:

Alexander,

The openssh cookbook is designed to accept any setting you add to your
Chef attributes. Most have presets if you look at the
attributes/default.rb file of the cookbook:
https://github.com/opscode-cookbooks/openssh/blob/master/attributes/default.rb
– however most are commented. The sshd service itself has many defaults.

Because Chef will manage the entire sshd_config file, you cannot simply
extend the config, like you asked; Chef will overwrite everything because
it just does a diff between the existing state and the desired state, so
anything that’s not in the desired state will be removed. The cookbook and
sshd itself have sane presets but if you have an existing, tweaked config,
it’s easy to lock yourself out of a node.
So the first thing you’ll want to do is study your existing config and
compare it to the presets to correct any discrepancies.

There are many ways of going about what you’re asking. A typical solution
is to use a wrapper cookbook with a one-line recipe that simply reads:
include_recipe 'openssh::default’
Add all the openssh attributes you want in that wrapper cookbook’s
attributes/default.rb, exactly as you see them formatted in the GitHub
link above, but change the settings you want, as needed. You can then add
that cookbook to your node’s run list, and the next chef-client run will
apply those settings.
You could also use environments or roles to achieve the same result, but
some people will argue that you should just use cookbooks for everything
because they’re versioned, which makes it easier to roll back if you mess
something up.

At this point you might call your cookbook of universal sshd settings an
environment cookbook and apply it to all nodes early on in the run list. If
you need additional settings applied only to certain nodes, such as a Match
Group block, again there are many ways of doing that. You could add t

This is how I do it:

  1. I have a common set of sshd settings for all my nodes contained in a
    role file. I just add that role to all the nodes. This is what that role
    file looks like: http://pastebin.com/GCUFL9Jd
  2. I have separate roles for subsets of nodes, here’s just one example:
    http://pastebin.com/NxUkAEUy – as you can see it adds a couple of other
    things to the nodes’ run list, you certainly don’t need that.
    All of the above can be accomplished exclusively with cookbooks, and
    again, some would suggest that you do it with cookbooks rather than roles
    or environments, since cookbooks are versioned. Read this about that:
    http://realityforge.org/code/2012/11/19/role-cookbooks-and-wrapper-cookbooks.html
    http://blog.vialstudios.com/the-environment-cookbook-pattern/ is good
    reading, too.

On Wed, Sep 2, 2015 at 10:58 AM, Alexander Skwar <
alexanders.mailinglists+nospam@gmail.com> wrote:

​Hello Matt

Yes, I understand, that it is much more “Chef’fy” to put a COMPLETE
configuration file under Chef. But sometimes, that’s not really doable.

As FileEdit doesn’t support my request, I worked around that and am not
using it for this task :wink:

Reg. openssh cookbook. Cool!

We’d have a “generic” sshd_config for all hosts. Could I use this
cookbook to extend or change an existing sshd_config? For example, I’d
like to have

PermitRootLogin without-password

But for certain hosts (or in certain other cookbooks or so), I’d like to
have

PermitRootLogin no

Also, for some systems, I’d like to extend the sshd_config with a “Match
group” block (to allow or deny certain groups).

Could I use the openssh-cookbook for this? Could you show me how?

Thanks a lot,
Alexander

​​

2015-09-02 15:55 GMT+02:00 Matthew Moretti werebus@gmail.com:

Hello Alexander,

The general advice I’ve seen about using Chef to edit configuration
files is that you should generally avoid doing so if you can. If you have
the option of having Chef be the only entity that manages the file in
question, it’s much easier to put Chef in charge of the entire file and use
a file or template resource instead.

In the case of ssshd_config, I’ve never had a complaint about the
openssh https://supermarket.chef.io/cookbooks/openssh cookbook which
uses attributes to build the whole config (nice for wrapper cookbooks,
environments, roles, etc.).

To answer your actual question though, it doesn’t look like FileEdit
will append to the beginning of a file, no. If that’s definitely what you
want to do, you’ll probably have to break out some ruby_blocks
https://docs.chef.io/resource_ruby_block.html and use the slightly
lower-level ::File http://ruby-doc.org/core-2.2.0/File.html methods.

Hope that helps.

Matt Moretti

On Thu, Aug 27, 2015 at 11:14 AM, Alexander Skwar
alexanders.mailinglists+nospam@gmail.com
http://mailto:alexanders.mailinglists+nospam@gmail.com wrote:

Hello

With Chef 11.8.2 and FileEdit and the help of this list :), I’ve now
got a way to replace text in a file and use the captured text. As it
turned out, I’m not using the captured text at all… Oh, well :slight_smile:

I am now replacing all old values in a config file (sshd_config, to be
exact). And when a certain config setting wasn’t there at all, I
insert a line with the new setting. But it will get appended to the
file; it will be at the end of the file.

That’s (maybe…) a problem, as a sshd_config file might have a “Match
…” block at the end.

Is there maybe an easy to way to add text to the BEGINNING of the
file? :slight_smile:

Here (or, for maybe better readability on
http://pastebin.com/1QWfsnFZ) is, what I’ve got now:

#############################################

SSH Parameter

{“Protocol” => “2”, “LogLevel” => “INFO”, “MaxAuthTries” => “4”,
“IgnoreRhosts” => “yes”, “HostbasedAuthentication” => “no”,
“PermitRootLogin” => “no”, “PermitEmptyPasswords” => “no”, “Banner” =>
"/etc/issue.net"}.each do |param, value|
cfg_file = “/etc/ssh/sshd_config”

replace_line_re = /^#{param}.*/
insert_line_text = replace_line_text = "#{param} #{value}"
insert_line_re = /^#{replace_line_text}/

ruby_block "CIS: SSHd Parameter modifizieren. " + param + " => " +

value do
block do
fe = Chef::Util::FileEdit.new(cfg_file)

        # Alte Werte durch neue Werte ersetzen
        fe.search_file_replace_line(replace_line_re,

replace_line_text)

        # Zeile mit neuem Wert am Ende der Datei einfügen - falls

nicht schon vorhanden
fe.insert_line_if_no_match(insert_line_re,
insert_line_text)

        # Datei schreiben
        fe.write_file
    end # of block do
    notifies :reload, "service[ssh]", :delayed
end # of ruby_block "CIS: SSHd Parameter modifizieren. " + param +

" => " + value do
end # of {“Protocol” => “2”, “LogLevel” => “INFO”, “MaxAuthTries” =>
“4”, “IgnoreRhosts” => “yes”, “HostbasedAuthentication” => “no”,
“PermitRootLogin” => “no”, “PermitEmptyPasswords” => “no”, “Banner” =>
"/etc/issue.net"}.each do |param, value|

Thanks so much again,

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==

Alexander

=> Google+ => http://plus.skwar.me <==
=> Chat (Jabber/Google Talk) => a.skwar@gmail.com <==