cookbook 'openssh', '= 2.9.0'
openssh
(72) Versions
2.9.0
-
-
2.11.15
-
2.11.14
-
2.11.13
-
2.11.12
-
2.11.11
-
2.11.10
-
2.11.9
-
2.11.8
-
2.11.7
-
2.11.6
-
2.11.5
-
2.11.4
-
2.11.3
-
2.11.2
-
2.11.1
-
2.11.0
-
2.10.18
-
2.10.17
-
2.10.16
-
2.10.15
-
2.10.14
-
2.10.13
-
2.10.12
-
2.10.11
-
2.10.10
-
2.10.9
-
2.10.8
-
2.10.7
-
2.10.6
-
2.10.5
-
2.10.4
-
2.10.3
-
2.10.2
-
2.10.1
-
2.10.0
-
2.9.2
-
2.9.1
-
2.9.0
-
2.8.1
-
2.8.0
-
2.7.1
-
2.7.0
-
2.6.3
-
2.6.2
-
2.6.1
-
2.6.0
-
2.5.0
-
2.4.1
-
2.4.0
-
2.3.1
-
2.3.0
-
2.2.0
-
2.1.1
-
2.1.0
-
2.0.0
-
1.6.1
-
1.6.0
-
1.5.2
-
1.5.0
-
1.4.0
-
1.3.4
-
1.3.2
-
1.3.0
-
1.2.2
-
1.2.0
-
1.1.4
-
1.1.2
-
1.1.0
-
1.0.0
-
0.8.0
-
0.7.2
-
0.7.0
Follow169
- 2.11.15
- 2.11.14
- 2.11.13
- 2.11.12
- 2.11.11
- 2.11.10
- 2.11.9
- 2.11.8
- 2.11.7
- 2.11.6
- 2.11.5
- 2.11.4
- 2.11.3
- 2.11.2
- 2.11.1
- 2.11.0
- 2.10.18
- 2.10.17
- 2.10.16
- 2.10.15
- 2.10.14
- 2.10.13
- 2.10.12
- 2.10.11
- 2.10.10
- 2.10.9
- 2.10.8
- 2.10.7
- 2.10.6
- 2.10.5
- 2.10.4
- 2.10.3
- 2.10.2
- 2.10.1
- 2.10.0
- 2.9.2
- 2.9.1
- 2.9.0
- 2.8.1
- 2.8.0
- 2.7.1
- 2.7.0
- 2.6.3
- 2.6.2
- 2.6.1
- 2.6.0
- 2.5.0
- 2.4.1
- 2.4.0
- 2.3.1
- 2.3.0
- 2.2.0
- 2.1.1
- 2.1.0
- 2.0.0
- 1.6.1
- 1.6.0
- 1.5.2
- 1.5.0
- 1.4.0
- 1.3.4
- 1.3.2
- 1.3.0
- 1.2.2
- 1.2.0
- 1.1.4
- 1.1.2
- 1.1.0
- 1.0.0
- 0.8.0
- 0.7.2
- 0.7.0
Installs and configures OpenSSH client and daemon
cookbook 'openssh', '= 2.9.0', :supermarket
knife supermarket install openssh
knife supermarket download openssh
openssh Cookbook
Installs and configures OpenSSH client and daemon.
Maintainers
This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.
Requirements
Platforms
- Debian/Ubuntu
- RHEL/CentOS/Scientific/Oracle
- Fedora
- FreeBSD
- Suse Enterprise Linux
- openSUSE / openSUSE leap
- AIX 7.1
Chef
- Chef 12.1+
Cookbooks
- iptables
Recipes
default
Installs openssh packages, manages the sshd config file, configure trusted ca keys, configure revoked keys, and starts/enables the sshd service.
iptables
Creates an iptables firewall rule to allow inbound SSH connections.
Usage
Apply the default recipe to the node's run_list to ensure that the openssh packages are installed, sshd is configured, and the service is started and enabled
Attributes List
The attributes list is dynamically generated, and lines up with the default openssh configs.
This means anything located in sshd_config or ssh_config can be used in your node attributes.
- If the option can be entered more then once, use an Array, otherwise, use a String. If the option is host-specific use a
Hash
(please see below for more details). - Each attribute is stored as ruby case, and converted to camel case for the config file on the fly.
- The current default attributes match the stock
ssh_config
andsshd_config
provided by openssh. - The namespace for
sshd_config
isnode['openssh']['server']
. - Likewise, the namespace for
ssh_config
isnode['openssh']['client']
. - An attribute can be an
Array
, aHash
or aString
. - If it is an
Array
, each item in the array will get it's own line in the config file. -
Hash
attributes are meant to used withssh_config
namespace to create host-specific configurations. The keys of theHash
will be used as theHost
entries and their associated entries as the configuration values. - All the values in openssh are commented out in the
attributes/default.rb
file for a base starting point. - There is one special attribute name, which is
match
. This is not included in the default template like the others.node['openssh']['server']['match']
must be a Hash, where the key is the match pattern criteria and the value should be a Hash of normal keywords and values. The same transformations listed above apply to these keywords. See examples below.
Dynamic ListenAddress
Pass in a Hash
of interface names, and IP address type(s) to bind sshd to. This will expand to a list of IP addresses which override the default node['openssh']['server']['listen_address']
value.
Examples and Common usage
These can be mixed and matched in roles and attributes. Please note, it is possible to get sshd into a state that it will not run. If this is the case, you will need to login via an alternate method and debug sshd like normal.
No Password logins
This requires use of identity files to connect
"openssh": { "server": { "password_authentication": "no" } }
Change sshd Port
"openssh": { "server": { "port": "14188" } }
Match
"openssh": { "server": { "match": { "Address 192.168.1.0/24": { "password_authentication": "yes" }, "Group admins": { "permit_tunnel": "yes", "max_sessions": "20" } } } }
Enable X Forwarding
"openssh": { "server": { "x11_forwarding": "yes" } }
Bind to a specific set of address (this example actually binds to all)
Not to be used with node['openssh']['listen_interfaces']
.
"openssh": { "server": { "address_family": "any", "listen_address": [ "192.168.0.1", "::" ] } } }
Bind to the addresses tied to a set of interfaces
"openssh": { "listen_interfaces": { "eth0": "inet", "eth1": "inet6" } }
Configure Trusted User CA Keys
"openssh": { "ca_keys": [ "ssh-rsa key... ca_id_1", "ssh-rsa key... ca_id_2" ] }
Configure Revoked Keys
"openssh": { "server": { "revoked_keys": [ "ssh-rsa key... user_key_1", "ssh-rsa key... user_key_2" ] } }
Host-specific configurations with hashes
You can use a Hash
with node['openssh']['client']
to configure different values for different hosts.
"client": { "*": { "g_s_s_a_p_i_authentication": "yes", "send_env": "LANG LC_*", "hash_known_hosts": "yes" }, "localhost": { "user_known_hosts_file": "/dev/null", "strict_host_key_checking": "no" }, "127.0.0.1": { "user_known_hosts_file": "/dev/null", "strict_host_key_checking": "no" }, "other*": { "user_known_hosts_file": "/dev/null", "strict_host_key_checking": "no" } }
The keys are used as values with the Host
entries. So, the configuration fragment shown above generates:
Host * SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes Host localhost StrictHostKeyChecking no UserKnownHostsFile /dev/null Host 127.0.0.1 StrictHostKeyChecking no UserKnownHostsFile /dev/null Host other* StrictHostKeyChecking no UserKnownHostsFile /dev/null
SSH Subsystems
Configure multiple SSH subsystems (e.g. sftp, netconf):
"openssh": { "server": { "subsystem": { "sftp": "/usr/lib/openssh/sftp-server", "appX": "/usr/sbin/appX" } } }
Former declaration of single subsystem:
"openssh": { "server": { "subsystem": "sftp /usr/lib/openssh/sftp-server" } }
Contributors
This project exists thanks to all the people who contribute.
Backers
Thank you to all our backers!
Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
openssh Cookbook CHANGELOG
This file is used to list changes made in each version of the openssh cookbook.
2.9.0 - 2021-02-25
- Sous Chefs Adoption
- Cookstyle fixes
2.8.1 (2019-10-03)
- Expand platform testing to the latest platforms - @tas50
- Move template files out of the default directory - @tas50
- Remove deprecated recipe and long_description metadata - @tas50
- Remove EOL opensuse platform from the metadata - @tas50
- Cookstyle fixes in the library - @tas50
- Add RHEL 8 docker container support - @tas50
2.8.0 (2019-05-06)
- This release greatly improves the default attributes on openSUSE/SLES systems
- Update test kitchen config - @tas50
- Add code owners file - @tas50
- Cookstyle fixes - @tas50
- Remove testing of EOL Ubuntu 14.04 - @tas50
- Move the service name to a helper - @tas50
- Fix the roaming test for Amazon Linux 2 - @tas50
- Add opensuseleap 15 testing and Chef 14 testing - @tas50
- Disable roaming on SLES 15 as well - @tas50
- Support generating ssh keys in opensuse 15 containers - @tas50
- Move use_roaming attribute default logic to a helper - @tas50
- Configure the subystem properly on SUSE platform family - @tas50
- Move ssh host key determination to a helper with SLES 15 support - @tas50
- Make sure we return true when supported - @tas50
- Modernize the specs for the new ChefSpec release - @tas50
- Add platform version helpers for readability - @tas50
- Default specs to 18.04 - @tas50
- Avoid FC warning - @tas50
- Disable opensuse 15 testing for now - @tas50
2.7.1 (2018-11-01)
- Add support for multiple subsystems
- Use template verify property instead of notify to handle configuration verification so we don't ever template out a non-functional config
2.7.0 (2018-07-24)
- Add support for array values under a host hash and added indentation for host values
2.6.3 (2018-03-19)
- Support Amazon Linux 2 in containers
2.6.2 (2018-03-02)
- Swap Chef 12 testing for Chef 14 testing
- Create the privilege separation directory on debian/ubuntu, which is not always there on Docker images
- Add Ubuntu 18.04 testing
2.6.1 (2017-11-30)
- Generate missing ssh keys on amazon linux as well. This impacts containers where ssh keys have not already been generated
2.6.0 (2017-10-18)
- Fixed trusted user CA key documentation
- Collapse the smartos hostkey attributes into the centos 6 attributes since they were the same values
- Make sure the hostkey attribute works when RHEL 8 comes out by not constraining the version check too much
- Run sshd-keygen on Fedora / CentOS 7 when host keys are missing. Why would keys be missing? Well if you've never run sshd then you don't have keys on RHEL/Fedora. This happens primarily when you try to Chef a container
- Add Testing on Chef 12 to Travis so we test both 12 and 13
- Move the flat helper methods into an actual library that is properly loaded
2.5.0 (2017-09-16)
- Added TrustedUserCAKeys and RevokedKeys support
- Enabled Foodcritic FC024 again
- Generate keys on systemd boxes before validating configs by starting sshd-keygen service if it exists. This prevents failures in docker
- Use multipackage installs to install client/server packages to speed up the chef run
- Add Debian 9 testing in Travis
- Add more platforms to Chefspecs, avoid deprecation warnings, and greatly speed up specs
2.4.1 (2017-05-22)
- Fix a bug that resulted in RHEL 6 cert paths being incorrect and expanded testing to check ssh login behavior not just config validation.
2.4.0 (2017-05-11)
- Config fixes for the sshd config on Amazon Linux
- Use the correct ssh host keys on RHEL 6
- Use the right sftp subsystem on Debian and Fedora
- Make sure the hostkeys are set on Debian/Ubuntu
2.3.1 (2017-04-20)
- Fix AIX service to skip enable since AIX does not support enable
2.3.0 (2017-04-19)
- Add basic AIX support
2.2.0 (2017-04-03)
- Test with Local Delivery instead of Rake
- Initial Amazon Linux support for Chef 13
2.1.1 (2017-01-03)
- Fix for sftp on rhel
- Add all supported SUSE releases to the readme and metadata
2.1.0 (2016-09-18)
- Add support for multiple sshd ports.
- Switch to kitchen-dokken for integration testing in Travis CI
- EL7 intentionally lacks of auto-gen'd DSA key
- Fix commented default for ciphers and macs
- Add chef_version metadata
- Remove hostnames from the templates
- Basic Mac OS support
- Avoid node.set deprecation warnings
- Require Chef 12.1+
- Fix inspec tests
- Remove the service provider logic that isn't necessary in Chef 12
- Set the sftp subsystem on Ubuntu
2.0.0 (2016-03-18)
- Don't set the Roaming No directive on RHEL systems before 7.0 as they ship with a sshd release which does not handle this directive
- Depend on the newer iptables cookbook, which bumps the required Chef release for this cookbook to 12.0+
1.6.1 (2016-01-20)
- Restored sshd restarting post config change
1.6.0 (2016-01-14)
- Removed the default['openssh']['rootgroup'] attribute and instead use root_group which was introduced in Chef 11.6.0
- UseRoaming no is now set in the client config to resolve CVE-2016-0777 and CVE-2016-0778
- Converted bats integration test to 2 suites of Inspec tests
- Added a libary to sort sshd_config entries while keeping port at the top to prevent sshd from failing to start
1.5.2 (2015-06-29)
- Use the complete path to sshd when verifying the config file since sbin may not be in the path
1.5.0 (2015-06-24)
- Perform a config syntax check before restarting the sshd so we don't break remote access to hosts
- Add support for Ubuntu 15.04+ with systemd
- Added a chefignore file
- Added Gitter badge for asking questions in a Gitter chat room
1.4.0 (2015-05-01)
- 42 - Fixed support for SmartOS
- 46 - Correct ArchLinux service name
- 43 - Correct OpenSSH server package name on RHEL, Fedora
- 31 - Allow included iptables rule to use the same port number if defined in attributes.
- 41 - Fix default recipe order
- 47 - Fix up iptables rule
- 49 - Fixed the print_last_log attribute in the Readme
- Updated Test Kitchen config with all supported platforms
- Updated Test Kitchen / Foodcritic / Rubocop / Berkshelf depedencies in the Gemfile
- Replaced Travis Ruby 1.9.3/2.0.0 testing with 2.1.5/2.2.0
- Resolved all Rubocop warnings
v1.3.4 (2014-04-23)
- [COOK-4576] - No way to override
AuthorizedKeysFile
- [COOK-4584] - Use Upstart on Ubuntu 12.04
- [COOK-4585] - skip match block in template if empty or unset
- [COOK-4586] OpenSSH Gentoo support
v1.3.2
Bug
- COOK-3995 - sshd_config template needs ordering
- COOK-3910 - ssh fails to start in Ubuntu 13.10
- COOK-2073 - Add support for Match block
v1.3.0
Improvement
- COOK-3644 - Add FreeBSD support
- COOK-2517 - Add hash support
- COOK-2000 - Make mode of sshd_config a configurable option
Bug
v1.2.2
Bug
-
COOK-3304 - Fix error setting Dynamic
ListenAddresses
v1.2.0
Improvement
- [COOK-2647]:
port_ssh
iptables template has no corresponding recipe
v1.1.4
- [COOK-2225] - Add platform_family suse
v1.1.2
- [COOK-1954] - Fix attribute camel case to match
man sshd_config
- [COOK-1889] - SSH restarting on each chef run due to template changes
v1.1.0
- [COOK-1663] - Configurable ListenAddress based off list of interface names
- [COOK-1685] - Make default sshd_config value more robust
v1.0.0
- [COOK-1014] - Templates for ssh(d).conf files.
v0.8.1
- Current public release