chr4-cookbooks / sshd Goto Github PK

The default attributes don't consider the location of Arch linux's SFTP server binary, which is /usr/lib/ssh/sftp-server. Gentoo also puts the binary in the same location as Redhat does, but because you're checking for platform family, isn't detected.

I propose thus:

%w[/usr/lib/openssh/sftp-server
   /usr/libexec/openssh/sftp-server
   /usr/libexec/sftp-server
   /usr/lib/ssh/sftp-server].select do |sftpbin|
  File.exist? sftpbin
end

Please either remove this setting or make it configurable.

The 'check_sshd_config' block under definitions/openssh_server.rb fails on RHEL 5.11 with the following error.

---- Begin output of sshd -t -f /etc/ssh/sshd_config ----
STDOUT:
STDERR: sshd re-exec requires execution with an absolute path
---- End output of sshd -t -f /etc/ssh/sshd_config ----
Ran sshd -t -f /etc/ssh/sshd_config returned 255

Modifying the block to use the full path of the sshd binary fixed the issue

execute 'check_sshd_config' do
command "/usr/sbin/sshd -t -f #{filename}"
action :nothing
end

  [2016-06-17T17:32:58+00:00] WARN: Cloning resource attributes for service[sshd] from prior resource (CHEF-3694)
  [2016-06-17T17:32:58+00:00] WARN: Previous service[sshd]: /tmp/kitchen/cache/cookbooks/sshd/recipes/install.rb:29:in `from_file'
  [2016-06-17T17:32:58+00:00] WARN: Current  service[sshd]: /tmp/kitchen/cache/cookbooks/sshd/definitions/openssh_server.rb:43:in `block in from_file'

Could probably merge the 'provider' line from install.rb into openssh_server.rb with no issues.

openssh_server should start ssh service (using Upstart) on Ubuntu 14.04, but it doesn't at the moment. Tested on Chef 12.1.1 and 12.2.1.

Can login to the machine and start the service fine manually using service ssh start.

Bug in either this cookbook or Chef itself? I see a heap of GH issues on the Chef side relating to Upstart selections etc, and I see the hack in definitions/openssh_server.rb to set the Upstart provider for >13.10. Either way somethings busted :)

Happy to help investigate here if you point me in the right direction.

When trying to set both the Port and ListenAddress attributes on Ubuntu 14.04 in combination with this cookbook (sshd is version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014), I get the following error when testing the resulting configuration with sshd -t:

/etc/ssh/sshd_config line 15: ports must be specified before ListenAddress.

Looks like strict alphabetical order as represented in generate_sshd_config by config.sort doesn't really work for the combination of these two sshd directives.

I've worked around the problem for now by keeping Port as a node attribute, and setting node['sshd']['sshd_config']['ListenAddress'] to a Hash, where the keys of the hash are IPs or IP/port combinations, and the respective values are empty strings.

Not sure what the best solution is here - whether it is a special case to have Port appear first in the configuration or whether it is worthwhile to have a more in-depth attribute precedence mechanism. If this sufficiently annoys me (since it comes up on nodes with multiple network interfaces/aliases, where I need to specifically bind sshd to only listen to certain IP addresses) I'll submit a pull request, but I'd be interested to hear if there are any other ideas.

Thanks!