Cookbook version

[Version of the cookbook where you are encountering the issue]
2.6.0

Chef-client version

[Version of chef-client in your environment]
12.19.36

Platform Details

[Operating system distribution and release version. Cloud provider if running in the cloud]
centos 5.11 x86_64

Scenario:

[What you are trying to achieve and you can't?]
cant start sshd

Steps to Reproduce:

install on centos 5.11

Expected Result:

start sshd

Actual Result:

Starting sshd: /etc/ssh/sshd_config: line 29: Bad configuration option: RevokedKeys
/etc/ssh/sshd_config: terminating, 1 bad configuration options

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Cookbook version

2.5.0

Chef-client version

13.4.24

Platform Details

Ubuntu 16.04 in EC2

Scenario:

Configure Trusted User CA Keys.

Steps to Reproduce:

Try to use attribute node['openssh']['server']['trusted_user_c_a_keys'] to set Trusted User CA Keys as is mentioned in README.md. That is set a public key value there.

Expected Result:

Public key is used to verify user certificates.

Actual Result:

Chef::Exceptions::ValidationFailed
----------------------------------
Property path must be one of: String!  You passed ["ssh-rsa AAAAB3NzaC1yc..."].

Cookbook Trace:
---------------
  /var/chef/cache/cookbooks/openssh/recipes/default.rb:46:in `block in from_file'
  /var/chef/cache/cookbooks/openssh/recipes/default.rb:44:in `from_file'
  /var/chef/cache/cookbooks/privx/recipes/default.rb:34:in `from_file'

Relevant File Content:
----------------------
/var/chef/cache/cookbooks/openssh/recipes/default.rb:

 39:    end
 40:  
 41:    node.normal['openssh']['server']['listen_address'] = listen_addresses
 42:  end
 43:  
 44:  template 'sshd_ca_keys_file' do
 45:    source 'ca_keys.erb'
 46>>   path node['openssh']['server']['trusted_user_c_a_keys']
 47:    mode node['openssh']['config_mode']
 48:    owner 'root'
 49:    group node['root_group']
 50:  end
 51:  
 52:  template 'sshd_revoked_keys_file' do
 53:    source 'revoked_keys.erb'
 54:    path node['openssh']['server']['revoked_keys']
 55:    mode node['openssh']['config_mode']

System Info:
------------
chef_version=13.4.24
platform=ubuntu
platform_version=16.04
ruby=ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]
program_name=chef-client worker: ppid=3277;start=14:02:19;
executable=/opt/chef/bin/chef-client

Cookbook version

2.7.0

Chef-client version

12.21.3 (also tested with 12.22.5 and 13.12.3)

Platform Details

RHEL6.4 (also tested with RHEL7.5)

Scenario:

Add custom configuration to /etc/ssh/ssh_config using either additional default attributes in a wrapper cookbook, or explicitly as normal attributes in a node, results in two Host * lines in /etc/ssh/ssh_config.

Steps to Reproduce:

1. Default
   Node has no explicit openssh attributes. I ran chef-client -o 'recipe[openssh::default]' recipe by itself to isolate the convergence.

As expected, the /etc/ssh/ssh_config shows as follows:

# cat /etc/ssh/ssh_config                  
# This file was generated by Chef for NODENAME
# Do NOT modify this file by hand!

Host *

2. Add one attribute to openssh client
   Add a single normal attribute to the node to add a line to /etc/ssh/ssh_config:

"openssh": {
  "client": {
    "*": {
      "forwardx11trusted": "yes"
    }   
  }
},

Run chef-client -o 'recipe[openssh::default]' again, and now we have a dupe:

# cat /etc/ssh/ssh_config                  
# This file was generated by Chef for NODENAME
# Do NOT modify this file by hand!

Host *
Host *
Forwardx11trusted yes

3. Add some custom default attributes in a wrapper cookbook
   I've got a separate openssh.rb file in the attributes directory of a wrapper cookbook. This contains the following:

    default['openssh']['client']['*']['g_s_s_a_p_i_authentication'] = 'yes'
    default['openssh']['client']['*']['forwardx11trusted'] = 'yes'
    default['openssh']['client']['*']['sendenv'] = 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL LANGUAGE XMODIFIERS'

I've removed the normal openssh attributes from previous scenarios. If I execute chef-client, my /etc/ssh/ssh_config looks like this after convergence:

# This file was generated by Chef for NODENAME
# Do NOT modify this file by hand!

Host *
GSSAPIAuthentication yes
Forwardx11trusted yes
Sendenv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL LANGUAGE XMODIFIERS
Host *

Not sure what the resultant behavior is when this happens, but regardless of that it doesn't look right.

If I take the same default attributes, but add an explicit `['host'] = '*':

    default['openssh']['client']['host'] = '*'
    default['openssh']['client']['*']['g_s_s_a_p_i_authentication'] = 'yes'
    default['openssh']['client']['*']['forwardx11trusted'] = 'yes'
    default['openssh']['client']['*']['sendenv'] = 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL LANGUAGE XMODIFIERS'

Then after the chef-client convergence, the ssh_config is slightly different:

# cat /etc/ssh/ssh_config 
# This file was generated by Chef for NODENAME
# Do NOT modify this file by hand!

Host *
Host *
GSSAPIAuthentication yes
Forwardx11trusted yes
Sendenv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL LANGUAGE XMODIFIERS

Expected Result:

No duplicate Host * lines.

Actual Result:

A duplicate Host * line.

Cookbook version

2.1.1

Chef-client version

12.17.44

Platform Details

Centos 7.3

Scenario:

I want to add the following config options which are related to openssh-ldap allowing you to use ldap to store ssh keys:

AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandRunAs nobody

Multiple of these are allowed
AcceptEnv LANG
AcceptEnv XMODIFIERS

Unless there is a way to add custom configs to allow extra flexibility?

Not sure if this is rightly here or in chef's Upstart code, but using

$> chef -v
Chef Development Kit Version: 0.6.0
chef-client version: 12.3.0
berks version: 3.2.4
ckitchen version: 1.4.0

and openssh cookbook 1.4.0

to build ubuntu 15.04 server I get an error:

     * service[ssh] action enable

       ================================================================================
       Error executing action `enable` on resource 'service[ssh]'
       ================================================================================

       Errno::ENOENT
       -------------
       No such file or directory - /sbin/status

None of those files (enable, restart, status) exist in /sbin in the 15.04 image I'm building from. The same cookbook in the same environment builds 14.04 just fine. (and while there is no /sbin/status the command "service ssh status" works.

At this time the cookbook tries to start SSHd before updating the template. This means that if any error is introduced, you cannot fix it without manually editing sshd_config and removing the error.

Simply reorder the default.rb and place the service after the template to resolve this problem.

For some reason https://supermarket.chef.io/cookbooks/openssh still shows 2.3.1 as the latest one, causing Berks to fail. Is this something you guys can fix? Or is this how it should be and I'm missing something?

Cheers!

Hi there,
i tested your cookbook on a Ubuntu 15.10 Server. Its working, but there are many things removed. I think this should not be the way for production.

For example logging or UsePrivilegeSeparation, are things that should not removed by default.

I think seperate each distribution and maybe version (attributes) is a way to go for a better cookbook. Chef-solo / local or chef-zero is build on a ssh connection and from that case it should be a perfect build cookbook like apache2.

Chef Team, please invest some time here!

• template[/etc/ssh/ssh_config] action create

  • update content in file /etc/ssh/ssh_config from 6005ad to 738d96
    --- /etc/ssh/ssh_config 2015-04-09 09:48:17.000000000 +0000
    +++ /etc/ssh/.chef-ssh_config20160411-7179-1qindz9 2016-04-11 21:19:57.978480519 +0000
    @@ -1,55 +1,6 @@
    +# This file was generated by Chef for domoticz
    +# Do NOT modify this file by hand!

  -# This is the ssh client system-wide configuration file. See
  -# ssh_config(5) for more information. This file provides defaults for
  -# users, and the values can be changed in per-user configuration files

  -# or on the command line.

  -# Configuration data is parsed as follows:
  -# 1. command line options
  -# 2. user-specific file
  -# 3. system-wide file
  -# Any configuration value is only changed the first time it is set.
  -# Thus, host-specific definitions should be at the beginning of the

  -# configuration file, and defaults at the end.

  -# Site-wide defaults for some commonly used options. For a comprehensive
  -# list of available options, their meanings and defaults, please see the

  -# ssh_config(5) man page.

  Host *
  -# ForwardAgent no
  -# ForwardX11 no
  -# ForwardX11Trusted yes
  -# RhostsRSAAuthentication no
  -# RSAAuthentication yes
  -# PasswordAuthentication yes
  -# HostbasedAuthentication no
  -# GSSAPIAuthentication no
  -# GSSAPIDelegateCredentials no
  -# GSSAPIKeyExchange no
  -# GSSAPITrustDNS no
  -# BatchMode no
  -# CheckHostIP yes
  -# AddressFamily any
  -# ConnectTimeout 0
  -# StrictHostKeyChecking ask
  -# IdentityFile ~/.ssh/identity
  -# IdentityFile ~/.ssh/id_rsa
  -# IdentityFile ~/.ssh/id_dsa
  -# Port 22
  -# Protocol 2,1
  -# Cipher 3des
  -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
  -# MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
  -# EscapeChar ~
  -# Tunnel no
  -# TunnelDevice any:any
  -# PermitLocalCommand no
  -# VisualHostKey no
  -# ProxyCommand ssh -q -W %h:%p gateway.example.com
  -# RekeyLimit 1G 1h

  • SendEnv LANG LC_*
  • HashKnownHosts yes
  • GSSAPIAuthentication yes
  • GSSAPIDelegateCredentials no
    +UseRoaming no

• template[/etc/ssh/sshd_config] action create

  • update content in file /etc/ssh/sshd_config from 70157d to bfb1d0
    --- /etc/ssh/sshd_config 2016-03-20 21:17:14.298343064 +0000
    +++ /etc/ssh/.chef-sshd_config20160411-7179-p7xacl 2016-04-11 21:19:58.010480303 +0000
    @@ -1,89 +1,8 @@
    -# Package generated configuration file
    -# See the sshd_config(5) manpage for details
    +# This file was generated by Chef for domoticz
    +# Do NOT modify this file by hand!

  -# What ports, IPs and protocols we listen for
  -Port 22
  -# Use these options to restrict which interfaces/protocols sshd will bind to
  -#ListenAddress ::
  -#ListenAddress 0.0.0.0
  -Protocol 2
  -# HostKeys for protocol version 2
  -HostKey /etc/ssh/ssh_host_rsa_key
  -HostKey /etc/ssh/ssh_host_dsa_key
  -HostKey /etc/ssh/ssh_host_ecdsa_key
  -HostKey /etc/ssh/ssh_host_ed25519_key
  -#Privilege Separation is turned on for security

  -UsePrivilegeSeparation yes

  -# Lifetime and size of ephemeral version 1 server key
  -KeyRegenerationInterval 3600

  -ServerKeyBits 1024

  -# Logging
  -SyslogFacility AUTH

  -LogLevel INFO

  -# Authentication:
  -LoginGraceTime 120
  -PermitRootLogin yes

  -StrictModes yes

  -RSAAuthentication yes
  -PubkeyAuthentication yes

  -#AuthorizedKeysFile %h/.ssh/authorized_keys

  -# Don't read the user's ~/.rhosts and ~/.shosts files
  -IgnoreRhosts yes
  -# For this to work you will also need host keys in /etc/ssh_known_hosts
  -RhostsRSAAuthentication no
  -# similar for protocol version 2
  -HostbasedAuthentication no
  -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication

  -#IgnoreUserKnownHosts yes

  -# To enable empty passwords, change to yes (NOT RECOMMENDED)

  -PermitEmptyPasswords no

  -# Change to yes to enable challenge-response passwords (beware issues with
  -# some PAM modules and threads)

  ChallengeResponseAuthentication no

  -# Change to no to disable tunnelled clear text passwords

  -#PasswordAuthentication yes

  -# Kerberos options
  -#KerberosAuthentication no
  -#KerberosGetAFSToken no
  -#KerberosOrLocalPasswd yes

  -#KerberosTicketCleanup yes

  -# GSSAPI options
  -#GSSAPIAuthentication no

  -#GSSAPICleanupCredentials yes

  -X11Forwarding yes
  -X11DisplayOffset 10
  -PrintMotd no
  -PrintLastLog yes
  -TCPKeepAlive yes

  -#UseLogin no

  -#MaxStartups 10:30:60

  -#Banner /etc/issue.net

  -# Allow client to pass locale environment variables

  -AcceptEnv LANG LC_*

  -Subsystem sftp /usr/lib/openssh/sftp-server

  -# Set this to 'yes' to enable PAM authentication, account processing,
  -# and session processing. If this is enabled, PAM authentication will
  -# be allowed through the ChallengeResponseAuthentication and
  -# PasswordAuthentication. Depending on your PAM configuration,
  -# PAM authentication via ChallengeResponseAuthentication may bypass
  -# the setting of "PermitRootLogin without-password".
  -# If you just want the PAM account and session checks to run without
  -# PAM authentication, then enable this but set PasswordAuthentication
  -# and ChallengeResponseAuthentication to 'no'.
  +PasswordAuthentication no
  UsePAM yes
  +

Cookbook version

v1.3.4

Chef-client version

12.11.18

Platform Details

Amazon Linux

Scenario:

In /etc/ssh/sshd_config, there is a option to configure Ciphers

http://linux.die.net/man/5/sshd_config

Ciphers aes128-ctr aes192-ctr aes256-ctr

but there is not attribute in this cookbook to configure ciphers.

Actual Result:

Please consider this request as feature request.

The sshd_config on RHEL 6 fails to set SFTP access correctly. The difficulty is this line, which is published in the default openssh-server based sshd_config, but is not published by the default cookbook setting:

• Subsystem sftp /usr/libexec/openssh/sftp-server.

Openssh requires that certain options are present before others.

As per 'man sshd_config':

If port is not specified, sshd will listen on the address and all prior Port options specified. The default is >to listen on all local addresses. Multiple ListenAddress
options are permitted. Additionally, any Port options must precede this option for non-port >qualified addresses.

The incorrect ordering may result in ssh not starting if you specify the port using the Port option instead if of placing the port inside the ListenAddress.

Ubuntu 15.04 with systemd is supported per #62 but I had to switch back to upstart for a different cookbook and now I'm running into an issue with the openssh cookbook:

[htpc] out: ---- Begin output of /bin/systemctl start ssh ----
[htpc] out: STDOUT:
[htpc] out: STDERR: Failed to get D-Bus connection: Operation not permitted
[htpc] out: ---- End output of /bin/systemctl start ssh ----
[htpc] out: Ran /bin/systemctl start ssh returned 1
[htpc] out: [2015-10-16T06:26:27+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Any way to support both systemd & upstart for Ubuntu 15.04 in this cookbook?

@tas50. The fix provided by @viktorradnai is very important for us. Now cookbook doesn't work on centos 5.11. Can you release new version of cookbook to supermarket with this fix?

Cookbook version

2.6.3

Chef-client version

14.2.0 and earlier

Platform Details

RHEL 7.5, 6.9

Scenario:

The openssh cookbook seems to now have sftp subsystem on by default in its cookbook attributes. When the attribute is set via another mechanism, in this case as a role attribute, the openssh cookbook puts two lines in the /etc/ssh/sshd_config file and the sshd service will not start.

Steps to Reproduce:

Run the openssh cookbook with this role attribute:

"openssh": {
      "server": {
        "Subsystem": "sftp /usr/libexec/openssh/sftp-server"
      }
    }

Expected Result:

The sftp subsystem should not be enabled by default. I should be able to enable it as needed. The openssh cookbook should not add two sftp subsystem lines.

Actual Result:

My test kitchen run returns this error, and the sshd service will not start.

* execute[sshd-config-check] action run
           
           ================================================================================
           Error executing action `run` on resource 'execute[sshd-config-check]'
           ================================================================================
           
           Mixlib::ShellOut::ShellCommandFailed
           ------------------------------------
           Expected process to exit with [0], but received '255'
           ---- Begin output of /usr/sbin/sshd -t ----
           STDOUT: 
           STDERR: /etc/ssh/sshd_config line 13: Subsystem 'sftp' already defined.
           ---- End output of /usr/sbin/sshd -t ----
           Ran /usr/sbin/sshd -t returned 255
           
           Resource Declaration:
           ---------------------
           # In /tmp/kitchen/cache/cookbooks/openssh/recipes/default.rb
           
            89: execute 'sshd-config-check' do
            90:   command '/usr/sbin/sshd -t'
            91:   action :nothing
            92: end
            93: 
           
           Compiled Resource:
           ------------------
           # Declared in /tmp/kitchen/cache/cookbooks/openssh/recipes/default.rb:89:in `from_file'
           
           execute("sshd-config-check") do
             action [:nothing]
             default_guard_interpreter :execute
             command "/usr/sbin/sshd -t"
             backup 5
             declared_type :execute
             cookbook_name "openssh"
             recipe_name "default"
             domain nil
             user nil
           end
           
           System Info:
           ------------
           chef_version=14.2.0
           platform=oracle
           platform_version=6.9
           ruby=ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
           program_name=/opt/chef/bin/chef-client
           executable=/opt/chef/bin/chef-client
           
       
       Running handlers:
       [2018-07-02T15:41:32+00:00] ERROR: Running exception handlers
       Running handlers complete
       [2018-07-02T15:41:32+00:00] ERROR: Exception handlers complete
       Chef Client failed. 7 resources updated in 07 seconds
       [2018-07-02T15:41:32+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
       [2018-07-02T15:41:32+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
       [2018-07-02T15:41:32+00:00] FATAL: Mixlib::ShellOut::ShellCommandFailed: execute[sshd-config-check] (openssh::default line 89) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '255'
       ---- Begin output of /usr/sbin/sshd -t ----
       STDOUT: 
       STDERR: /etc/ssh/sshd_config line 13: Subsystem 'sftp' already defined.
       ---- End output of /usr/sbin/sshd -t ----
       Ran /usr/sbin/sshd -t returned 255
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>>     Converge failed on instance <default-oracle-69>.  Please see .kitchen/logs/default-oracle-69.log for more details
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration

Cookbook version

2.8.1

Chef-client version

12.21.31

Platform Details

platform=centos
platform_version=7.7.1908

Scenario:

Converging on Chef 12

The iptables cookbook bump to 7.0.0 breaks compat with Chef 12, and this is not pinned in the openssh cookbook.

Proposed fix (while we're all upgrading are chef clients hopefully): is to contstrain pessimistically like iptables ~> 6.0 and release a new version of the openssh cookbook.

Thanks!

Cookbook version

2.7.0

Chef-client version

14.2.0 and earlier

Platform Details

RHEL 7.5, 6.9, AIX 7.1

Scenario:

When the SSH configurations fails to validate using /usr/sbin/sshd -t, the bad configuration file is left in /etc/ssh/sshd_config after raising an exception. When running chef-client at regular intervals, the subsequent chef-client runs complete successfully even though the configuration is invalid. If the server were to reboot, the sshd process would not come up. This behavior defeats the purpose of the sshd -t test. I think a better solution would be to use /usr/sbin/sshd -t -f <desired_config_file> or else restore the backup of the previous config file when the validation fails.

Steps to Reproduce:

Set an invalid attribute to generate an invalid configuration file:

"openssh": {
  "server": {
    "invalid_attribute": true
  }
}

Expected Result:

/usr/sbin/sshd -t test fails and original /etc/ssh/sshd_config file is preserved to avoid problems with SSH if the server were to reboot.

Actual Result:

The bad attribute is still written to the configuration file, leaving an invalid configuration on the server.

[root@dokken /]# grep InvalidAttribute /etc/ssh/sshd_config
InvalidAttribute true

Subsequent chef-client runs succeed because the configuration doesn't need to be updated, even though the configuration is invalid.

With no changes to my wrapper cookbook, 1.6.1 does not add ListenAddress entries to the sshd_config file. Reverting to 1.5.2 fixes this behavior and adds the desired ListenAddress entries from the attributes set by the wrapping cookbook.

This is set by the following line where listen_ips is an array of strings that represent ips and ip:port node.set['openssh']['server']['listen_address'] = listen_ips

CentOS 5.7
Chef 12.6.0

According to sshd_config manual there is only one configuration parameter HostKey. In attribute file there are few host_key_* key-value pairs which produce parameters such as HostKeyRsa whitch are incorect.
It is better to use array with any needen values eg.:

default['openssh']['server']['host_key'] = ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']

The relevant portion of the manual:
HostKey
Specifies a file containing a private host key used by SSH. The default is /etc/ssh/ssh_host_key for protocol version 1, and /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for protocol version 2. Note that sshd(8) will refuse to use a file if it is group/world-accessible. It is possible to have multiple host key files. “rsa1” keys are used for version 1 and “dsa”, “ecdsa”, “ed25519” or “rsa” are used for ver‐sion 2 of the SSH protocol. It is also possible to specify public host key files instead. In this case operations on the private key will be delegated to an ssh-agent(1).

Given that this cookbook is fairly standard, it would be really nice if managing SSH on MacOS was supported.

In order to resolve Nessus alerts, we need to set Ciphers and MACs in sshd_config but the only option is to set them in ssh_config.

These are two settings that are missing from the cookbook.

In a lot of environments, having sftp enabled by default runs afoul of security audit scans. The current state of the cookbook doesn't seem to provide the ability to disable sftp on the platforms it supports. It enables it by default. It would make more sense to enable the sftp subsystem only if an attribute in the cookbook was set to true.

Windows 10 now ships with OpenSSH Server, it would be great to manage the Windows clients with this cookbook

The link to travis is missing. It appears that this cookbook is no longer tested with travis.

Cookbook version

2.6.3

Chef-client version

13.8.5

Platform Details

CentOS Linux release 7.4.1708 (Core)

Scenario:

The order of match attributes is not preserved.

Steps to Reproduce:

Assume we have a user foobar that belongs to a group sftp and we need to have more detailed logging level defined for that user.

• Create a new cookbook that depends on openssh
• Add a new attributes file that defines the following default values

default['openssh']['server']['match']['User foobar']['force_command'] = 'internal-sftp -d /home/%u -l VERBOSE -f LOCAL3'

default['openssh']['server']['match']['Group sftp']['force_command'] = 'internal-sftp -d /home/%u -f LOCAL3'

• Add include_recipe 'openssh' to the default recipe
• Run chef-client using the created cookbook as run list

Expected Result:

User foobar match block should be defined before Group sftp.

Actual Result:

Group sftp match block is defined before User foobar and as a result the user foobar gets wrong ForceCommand.

Cookbook version

2.8.0-2.6.3

Chef-client version

15.4.45

Platform Details

Red Hat 7

Scenario:

The cookbook is not compiling due to the fact that the node['openssh']['server']['host_key'] is returning nil.

Steps to Reproduce:

Use the cookbook in a wrapper and set default['openssh']['server']['HostKey'] to sum array. Add the openssh default recipe to the wrapper cookboook.

Expected Result:

The cookbook should compile and converge successfully.

Actual Result:

The cookbook fails to compile with the following error mesage:

-----> Converging <pt-hardening-default-rhel7>...
       Preparing files for transfer
       Preparing dna.json
       Resolving cookbook dependencies with Berkshelf 7.0.9...
       Removing non-cookbook files before transfer
       Preparing data_bags
       Preparing environments
       Preparing nodes
       Preparing roles
       Preparing validation.pem
       Preparing client.rb
       Transferring files to <pt-hardening-default-rhel7>
       Starting Chef Infra Client, version 15.4.45
       resolving cookbooks for run list: ["pt_hardening"]
       Synchronizing Cookbooks:
         - iptables (7.0.0)
         - line (2.7.0)
         - openssh (2.6.3)
         - pt_hardening (1.0.1)
       Installing Cookbook Gems:
       Compiling Cookbooks...
       
       ================================================================================
       Recipe Compile Error in /tmp/kitchen/cache/cookbooks/pt_hardening/recipes/default.rb
       ================================================================================
       
       NoMethodError
       -------------
       undefined method `all?' for nil:NilClass
       
       Cookbook Trace:
       ---------------
         /tmp/kitchen/cache/cookbooks/openssh/libraries/helpers.rb:42:in `sshd_host_keys_missing?'
         /tmp/kitchen/cache/cookbooks/openssh/recipes/default.rb:62:in `from_file'
         /tmp/kitchen/cache/cookbooks/pt_hardening/recipes/linux.rb:1:in `from_file'
         /tmp/kitchen/cache/cookbooks/pt_hardening/recipes/default.rb:2:in `from_file'
       
       Relevant File Content:
       ----------------------
       /tmp/kitchen/cache/cookbooks/openssh/libraries/helpers.rb:
       
        35:      def keygen_platform?
        36:        return true if platform?('amazon')
        37:        platform_family?('rhel', 'fedora') && node['platform_version'].to_i >= 7
        38:      end
        39:  
        40:      # are any of the host keys defined in the attribute missing from the filesystem
        41:      def sshd_host_keys_missing?
        42>>       !node['openssh']['server']['host_key'].all? { |f| ::File.exist?(f) }
        43:      end
        44:    end
        45:  end
        46:  
        47:  Chef::Resource.send(:include, ::Openssh::Helpers)
        48:  Chef::Recipe.send(:include, ::Openssh::Helpers)
        49:  
       
       System Info:
       ------------
       chef_version=15.4.45
       platform=redhat
       platform_version=7.6
       ruby=ruby 2.6.5p114 (2019-10-01 revision 67812) [x86_64-linux]
       program_name=/bin/chef-client
       executable=/opt/chef/bin/chef-client
       
       
       Running handlers:
       [2020-02-20T21:43:17+00:00] ERROR: Running exception handlers
       Running handlers complete
       [2020-02-20T21:43:17+00:00] ERROR: Exception handlers complete
       Chef Infra Client failed. 0 resources updated in 01 seconds
       [2020-02-20T21:43:17+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
       [2020-02-20T21:43:17+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
       [2020-02-20T21:43:17+00:00] FATAL: NoMethodError: undefined method `all?' for nil:NilClass

Cookbook version

1.5.2, 1.6.0

Chef-client version

12.19.36

Platform Details

Centos 7.3

Scenario:

Attempting to set address_family to 'inet' and listen_address to an ipv4 address by setting these attributes in a role.

Steps to Reproduce:

Add this to your role attributes:

"openssh": {
  "server": {
    "address_family": "inet",
      "listen_address": "0.0.0.0"
  }
}

Expected Result:

/etc/ssh/sshd_config should contain the following two lines in this order:

AddressFamily inet
ListenAddress 0.0.0.0

Actual Result:

ListenAddress 0.0.0.0 is added on line 10 and AddressFamily inet is added to the end of the file. This is not a valid openssh configuration; the service logs 'address family must be specified before ListenAddress' and refuses to start.

The same error occurs if you use the example at https://github.com/chef-cookbooks/openssh/#bind-to-a-specific-set-of-address-this-example-actually-binds-to-all (assuming of course you first delete the extraneous } from that listing).

Any chance we can get a release. There's some pretty big stuff in master.

By default, this cookbook sets up no HostKey entries in sshd_config. sshd will then default to using the rsa and dsa key. However, CentOS 7 does not create a DSA key, causing an error message.

To avoid that, CentOS 7 should have explicit HostKey entries, as follows:

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

Cookbook version

2.1.0

Chef-client version

12.5.1

Platform Details

CentOS/RHEL 5,6,7

Scenario:

using sftp to connect to the server

Steps to Reproduce:

Nothing special, just run openssh cookbook and sftp does not work on CentOS/RHEL 5,6,7

Expected Result:

$ sftp -oPort=2201 [email protected]:
[email protected]'s password:
Connected to 127.0.0.1.
Changing to: /home/vagrant/

Actual Result:

$ sftp -oPort=2201 [email protected]:
[email protected]'s password:
subsystem request failed on channel 0
Couldn't read packet: Connection reset by peer

Logs present in the file : /var/log/secure.
Oct 10 15:45:46 127.0.0.1 sshd[23659]: subsystem request for sftp
Oct 10 15:45:46 127.0.0.1 sshd[23659]: error: subsystem: cannot stat /usr/lib/openssh/sftp-server: No such file or directory

How to Fix:

replace this

default['openssh']['server']['subsystem'] = 'sftp /usr/lib/openssh/sftp-server' if platform_family?('rhel') || platform_family?('fedora')

with

default['openssh']['server']['subsystem'] = 'sftp /usr/libexec/openssh/sftp-server' if platform_family?('rhel')
default['openssh']['server']['subsystem'] = 'sftp /usr/lib/openssh/sftp-server' if platform_family?('fedora')

Cookbook version
2.9.0

Chef-client version
17.0.157

Platform Details
CentOS 8.3.2011

Scenario:
The CentOS platform_version comparison in the library is broken when converting 8.3.2011 to an integer

Steps to Reproduce:
Run kitchen test with CentOS 8 dokken image.

Expected Result:
/usr/libexec/openssh/sshd-keygen should be executed because /usr/sbin/sshd-keygen does not exist.

Actual Result:
cookbook executes /usr/sbin/sshd-keygen, which does not exist.

  * execute[/usr/sbin/sshd-keygen] action run

    ================================================================================
    Error executing action `run` on resource 'execute[/usr/sbin/sshd-keygen]'
    ================================================================================

    Errno::ENOENT
    -------------
    No such file or directory - /usr/sbin/sshd-keygen

    Resource Declaration:
    ---------------------
    # In /opt/kitchen/cache/cookbooks/openssh/recipes/default.rb

     69:     execute '/usr/sbin/sshd-keygen'
     70:   end

    Compiled Resource:
    ------------------
    # Declared in /opt/kitchen/cache/cookbooks/openssh/recipes/default.rb:69:in `from_file'

    execute("/usr/sbin/sshd-keygen") do
      action [:run]
      default_guard_interpreter :execute
      command "/usr/sbin/sshd-keygen"
      declared_type :execute
      cookbook_name "openssh"
      recipe_name "default"
      domain nil
      user nil
    end

    System Info:
    ------------
    chef_version=17.0.157
    platform=centos
    platform_version=8.3.2011
    ruby=ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-linux]
    program_name=/opt/chef/bin/chef-client
    executable=/opt/chef/bin/chef-client

This cookbook depends on iptables but doesn't have a pessimistic version lock to ~ 1.0

Therefore when iptables introduced a breaking change and bumped to 2.0, this cookbook tries to use it and errors. This may only affect us because we're on Chef 11 but I still think it's best practice to have the version lock in place so that breaking changes are brought in intentionally.

If you want to change:
-depends 'iptables'
+depends 'iptables', "~> 1.0"

Cookbook version

2.4.1

Chef-client version

12.19.36

Platform Details

RedHat 7.3

Scenario:

When running OpenSSH cookbook default recipe, "sshd_config" template definition causes an error when no Match parameter is provided.

Steps to Reproduce:

• Re-define default value of the whole node['openssh']['server'] hash, e.g. by doing the following before including OpenSSH cookbook default recipe:

node.default['openssh']['server'] = {
  'x11_forwarding': 'yes',
  'log_level': 'INFO',
  ...
}

without specifying the "match" parameter, which should thus be left equal to nil.

• Include and run OpenSSH cookbook default recipe.

Expected Result:

No "Match XXX" entry is added into /etc/ssh/sshd_config.

Actual Result:

Chef terminates in error (see stack trace below).

A possible enhancement of the cookbook would be to invert and modify "unless" conditions in templates/default/sshd_config.erb, l. 14:

• currently:
  <% unless node['openssh']['server']['match'].empty? || !defined?(node['openssh']['server']['match']) -%>
• modified:
  <% unless node['openssh']['server']['match'].nil? || node['openssh']['server']['match'].empty? -%>

Stacktrace:

    ================================================================================
    Error executing action `create` on resource 'template[/etc/ssh/sshd_config]'
    ================================================================================

    Chef::Mixin::Template::TemplateError
    ------------------------------------
    undefined method `empty?' for nil:NilClass

    Resource Declaration:
    ---------------------
    # In /var/chef/cache/cookbooks/openssh/recipes/default.rb

     46: template '/etc/ssh/sshd_config' do
     47:   source 'sshd_config.erb'
     48:   mode node['openssh']['config_mode']
     49:   owner 'root'
     50:   group node['root_group']
     51:   variables(options: openssh_server_options)
     52:   notifies :run, 'execute[sshd-config-check]', :immediately
     53:   notifies :restart, 'service[ssh]'
     54: end
     55:

    Compiled Resource:
    ------------------
    # Declared in /var/chef/cache/cookbooks/openssh/recipes/default.rb:46:in `from_file'

    template("/etc/ssh/sshd_config") do
      action [:create]
      retries 0
      retry_delay 2
      default_guard_interpreter :default
      source "sshd_config.erb"
      variables {:options=>[["allow_tcp_forwarding", "no"], ["allows_groups", "_ccs_administrateurs_systeme _ccs_super_operateurs"], ["listen_address", ["172.16.131.57", "172.16.131.59"]], ["login_grace_time", "30"], ["max_auth_tries", "2"], ["permit_user_environment", "no"], ["print_last_log", "yes"], ["x11_forwarding", "yes"]]}
      declared_type :template
      cookbook_name "openssh"
      recipe_name "default"
      owner "root"
      group "root"
      mode "0600"
      path "/etc/ssh/sshd_config"
      verifications []
    end

    Template Context:
    -----------------
    on line #14
     12: <% end -%>
     13:
     14: <%  unless node['openssh']['server']['match'].empty? || !defined?(node['openssh']['server']['match']) -%>
     15: <%    node['openssh']['server']['match'].sort.map do |match_key, match_items| -%>
     16: Match <%= match_key %>

    Platform:
    ---------
    x86_64-linux

According to ssh_config man page, the EnableSSHKeysign should be in the non-host specific (above the first Host entry). Apparently there is no way of doing this as the first entry is Host* via the default.rb. An entry of such does not exist in the default.rb as well. A connection to a HostbasedAuthentication enabled host fails, if EnableSSHKeysign is not located as specified.

Cookbook version

2.7.0

Chef-client version

12.21.3

Platform Details

RHEL 6 and RHEL 7

Scenario:

By default in RHEL6, the /etc/ssh/ssh_config has got multiple entries for SendEnv:

Host *
        SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
        SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
        SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
        SendEnv XMODIFIERS

I don't see a way to specify this in an attributes file in my own cookbook. I could just squish them into a single line, but then readability suffers:

SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL LANGUAGE XMODIFIERS

Steps to Reproduce:

Add multiple entries of default['openssh']['client']['*']['sendenv'] to the attributes directory of your cookbook. Example:

default['openssh']['client']['*']['sendenv'] = 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
default['openssh']['client']['*']['sendenv'] = 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
default['openssh']['client']['*']['sendenv'] = 'LC_IDENTIFICATION LC_ALL LANGUAGE'

Expected Result:

Multiple SendEnv entries in /etc/ssh/ssh_config

Actual Result:

Last line of default['openssh']['client']['*']['sendenv'] is preserved

Cookbook version

v2.4.0

Chef-client version

12.7.2

Platform Details

CentOS 6.6

Scenario:

include_recipe 'openssh::default' in my own recipe

Steps to Reproduce:

include_recipe 'openssh::default'

Expected Result:

[What are you expecting to happen as the consequence of above reproduction steps?]

Actual Result:

https://github.com/chef-cookbooks/openssh/blob/master/attributes/default.rb#L91
Why are you using '/var/ssh' path (instead of '/etc/ssh')?
I'm getting the error 'file not found' when I type the commands:
file /var/ssh/ssh_host_rsa_key
or
file /var/ssh/ssh_host_dsa_key

I can't login in my box by this reason:
'Read from socket failed: Connection reset by peer'

nothing to be done here. there's the dep on iptables, that cookbook has been updated. debates rage about this cookbook depping on iptables, but that's out of scope.

Hi,

I think it is very useful that we only restart the sshd service only if the syntax is correct by running the simple command to check.

sshd -t

By this way, we cannot be locked out of the server.

On older boxes, like Cent 5.11, this breaks the ssh client on the box since it is an unrecognized config entry.