cloud-mu 3.1.6 → 3.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (181) hide show
  1. checksums.yaml +4 -4
  2. data/Dockerfile +1 -1
  3. data/bin/mu-adopt +15 -12
  4. data/bin/mu-azure-tests +57 -0
  5. data/bin/mu-cleanup +2 -4
  6. data/bin/mu-configure +37 -1
  7. data/bin/mu-deploy +3 -3
  8. data/bin/mu-findstray-tests +25 -0
  9. data/bin/mu-gen-docs +2 -4
  10. data/bin/mu-load-config.rb +2 -1
  11. data/bin/mu-run-tests +37 -12
  12. data/cloud-mu.gemspec +4 -4
  13. data/cookbooks/mu-tools/attributes/default.rb +7 -0
  14. data/cookbooks/mu-tools/libraries/helper.rb +87 -3
  15. data/cookbooks/mu-tools/recipes/apply_security.rb +39 -23
  16. data/cookbooks/mu-tools/recipes/aws_api.rb +13 -0
  17. data/cookbooks/mu-tools/recipes/google_api.rb +4 -0
  18. data/cookbooks/mu-tools/recipes/rsyslog.rb +8 -1
  19. data/cookbooks/mu-tools/resources/disk.rb +33 -12
  20. data/cookbooks/mu-tools/resources/mommacat_request.rb +1 -2
  21. data/cookbooks/mu-tools/templates/centos-8/sshd_config.erb +215 -0
  22. data/extras/clean-stock-amis +10 -2
  23. data/extras/generate-stock-images +7 -3
  24. data/extras/image-generators/AWS/centos7.yaml +19 -16
  25. data/extras/image-generators/AWS/{rhel7.yaml → rhel71.yaml} +0 -0
  26. data/extras/image-generators/AWS/{win2k12.yaml → win2k12r2.yaml} +0 -0
  27. data/modules/mommacat.ru +2 -2
  28. data/modules/mu.rb +84 -97
  29. data/modules/mu/adoption.rb +359 -59
  30. data/modules/mu/cleanup.rb +67 -44
  31. data/modules/mu/cloud.rb +108 -1754
  32. data/modules/mu/cloud/database.rb +49 -0
  33. data/modules/mu/cloud/dnszone.rb +44 -0
  34. data/modules/mu/cloud/machine_images.rb +212 -0
  35. data/modules/mu/cloud/providers.rb +81 -0
  36. data/modules/mu/cloud/resource_base.rb +929 -0
  37. data/modules/mu/cloud/server.rb +40 -0
  38. data/modules/mu/cloud/server_pool.rb +1 -0
  39. data/modules/mu/cloud/ssh_sessions.rb +228 -0
  40. data/modules/mu/cloud/winrm_sessions.rb +237 -0
  41. data/modules/mu/cloud/wrappers.rb +178 -0
  42. data/modules/mu/config.rb +122 -80
  43. data/modules/mu/config/alarm.rb +2 -6
  44. data/modules/mu/config/bucket.rb +32 -3
  45. data/modules/mu/config/cache_cluster.rb +2 -2
  46. data/modules/mu/config/cdn.rb +100 -0
  47. data/modules/mu/config/collection.rb +1 -1
  48. data/modules/mu/config/container_cluster.rb +2 -2
  49. data/modules/mu/config/database.rb +84 -105
  50. data/modules/mu/config/database.yml +1 -2
  51. data/modules/mu/config/dnszone.rb +5 -4
  52. data/modules/mu/config/doc_helpers.rb +4 -5
  53. data/modules/mu/config/endpoint.rb +2 -1
  54. data/modules/mu/config/firewall_rule.rb +3 -19
  55. data/modules/mu/config/folder.rb +1 -1
  56. data/modules/mu/config/function.rb +17 -8
  57. data/modules/mu/config/group.rb +1 -1
  58. data/modules/mu/config/habitat.rb +1 -1
  59. data/modules/mu/config/job.rb +89 -0
  60. data/modules/mu/config/loadbalancer.rb +57 -11
  61. data/modules/mu/config/log.rb +1 -1
  62. data/modules/mu/config/msg_queue.rb +1 -1
  63. data/modules/mu/config/nosqldb.rb +1 -1
  64. data/modules/mu/config/notifier.rb +8 -19
  65. data/modules/mu/config/ref.rb +81 -9
  66. data/modules/mu/config/role.rb +1 -1
  67. data/modules/mu/config/schema_helpers.rb +30 -34
  68. data/modules/mu/config/search_domain.rb +1 -1
  69. data/modules/mu/config/server.rb +5 -13
  70. data/modules/mu/config/server_pool.rb +3 -7
  71. data/modules/mu/config/storage_pool.rb +1 -1
  72. data/modules/mu/config/tail.rb +10 -0
  73. data/modules/mu/config/user.rb +1 -1
  74. data/modules/mu/config/vpc.rb +13 -17
  75. data/modules/mu/defaults/AWS.yaml +106 -106
  76. data/modules/mu/defaults/Azure.yaml +1 -0
  77. data/modules/mu/defaults/Google.yaml +1 -0
  78. data/modules/mu/deploy.rb +33 -19
  79. data/modules/mu/groomer.rb +15 -0
  80. data/modules/mu/groomers/chef.rb +3 -0
  81. data/modules/mu/logger.rb +120 -144
  82. data/modules/mu/master.rb +22 -1
  83. data/modules/mu/mommacat.rb +71 -26
  84. data/modules/mu/mommacat/daemon.rb +23 -14
  85. data/modules/mu/mommacat/naming.rb +82 -3
  86. data/modules/mu/mommacat/search.rb +59 -16
  87. data/modules/mu/mommacat/storage.rb +119 -48
  88. data/modules/mu/{clouds → providers}/README.md +1 -1
  89. data/modules/mu/{clouds → providers}/aws.rb +248 -62
  90. data/modules/mu/{clouds → providers}/aws/alarm.rb +3 -3
  91. data/modules/mu/{clouds → providers}/aws/bucket.rb +275 -41
  92. data/modules/mu/{clouds → providers}/aws/cache_cluster.rb +14 -50
  93. data/modules/mu/providers/aws/cdn.rb +782 -0
  94. data/modules/mu/{clouds → providers}/aws/collection.rb +5 -5
  95. data/modules/mu/{clouds → providers}/aws/container_cluster.rb +65 -63
  96. data/modules/mu/providers/aws/database.rb +1747 -0
  97. data/modules/mu/{clouds → providers}/aws/dnszone.rb +26 -12
  98. data/modules/mu/providers/aws/endpoint.rb +1072 -0
  99. data/modules/mu/{clouds → providers}/aws/firewall_rule.rb +39 -32
  100. data/modules/mu/{clouds → providers}/aws/folder.rb +1 -1
  101. data/modules/mu/{clouds → providers}/aws/function.rb +291 -133
  102. data/modules/mu/{clouds → providers}/aws/group.rb +18 -20
  103. data/modules/mu/{clouds → providers}/aws/habitat.rb +3 -3
  104. data/modules/mu/providers/aws/job.rb +469 -0
  105. data/modules/mu/{clouds → providers}/aws/loadbalancer.rb +77 -47
  106. data/modules/mu/{clouds → providers}/aws/log.rb +5 -5
  107. data/modules/mu/{clouds → providers}/aws/msg_queue.rb +14 -11
  108. data/modules/mu/{clouds → providers}/aws/nosqldb.rb +96 -5
  109. data/modules/mu/{clouds → providers}/aws/notifier.rb +135 -63
  110. data/modules/mu/{clouds → providers}/aws/role.rb +112 -78
  111. data/modules/mu/{clouds → providers}/aws/search_domain.rb +172 -41
  112. data/modules/mu/{clouds → providers}/aws/server.rb +120 -145
  113. data/modules/mu/{clouds → providers}/aws/server_pool.rb +42 -60
  114. data/modules/mu/{clouds → providers}/aws/storage_pool.rb +21 -38
  115. data/modules/mu/{clouds → providers}/aws/user.rb +12 -16
  116. data/modules/mu/{clouds → providers}/aws/userdata/README.md +0 -0
  117. data/modules/mu/{clouds → providers}/aws/userdata/linux.erb +5 -4
  118. data/modules/mu/{clouds → providers}/aws/userdata/windows.erb +0 -0
  119. data/modules/mu/{clouds → providers}/aws/vpc.rb +141 -73
  120. data/modules/mu/{clouds → providers}/aws/vpc_subnet.rb +0 -0
  121. data/modules/mu/{clouds → providers}/azure.rb +4 -1
  122. data/modules/mu/{clouds → providers}/azure/container_cluster.rb +1 -5
  123. data/modules/mu/{clouds → providers}/azure/firewall_rule.rb +8 -1
  124. data/modules/mu/{clouds → providers}/azure/habitat.rb +0 -0
  125. data/modules/mu/{clouds → providers}/azure/loadbalancer.rb +0 -0
  126. data/modules/mu/{clouds → providers}/azure/role.rb +0 -0
  127. data/modules/mu/{clouds → providers}/azure/server.rb +32 -24
  128. data/modules/mu/{clouds → providers}/azure/user.rb +1 -1
  129. data/modules/mu/{clouds → providers}/azure/userdata/README.md +0 -0
  130. data/modules/mu/{clouds → providers}/azure/userdata/linux.erb +0 -0
  131. data/modules/mu/{clouds → providers}/azure/userdata/windows.erb +0 -0
  132. data/modules/mu/{clouds → providers}/azure/vpc.rb +4 -6
  133. data/modules/mu/{clouds → providers}/cloudformation.rb +1 -1
  134. data/modules/mu/{clouds → providers}/cloudformation/alarm.rb +3 -3
  135. data/modules/mu/{clouds → providers}/cloudformation/cache_cluster.rb +3 -3
  136. data/modules/mu/{clouds → providers}/cloudformation/collection.rb +3 -3
  137. data/modules/mu/{clouds → providers}/cloudformation/database.rb +6 -17
  138. data/modules/mu/{clouds → providers}/cloudformation/dnszone.rb +3 -3
  139. data/modules/mu/{clouds → providers}/cloudformation/firewall_rule.rb +3 -3
  140. data/modules/mu/{clouds → providers}/cloudformation/loadbalancer.rb +3 -3
  141. data/modules/mu/{clouds → providers}/cloudformation/log.rb +3 -3
  142. data/modules/mu/{clouds → providers}/cloudformation/server.rb +7 -7
  143. data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb +5 -5
  144. data/modules/mu/{clouds → providers}/cloudformation/vpc.rb +3 -3
  145. data/modules/mu/{clouds → providers}/docker.rb +0 -0
  146. data/modules/mu/{clouds → providers}/google.rb +15 -6
  147. data/modules/mu/{clouds → providers}/google/bucket.rb +2 -2
  148. data/modules/mu/{clouds → providers}/google/container_cluster.rb +29 -14
  149. data/modules/mu/{clouds → providers}/google/database.rb +2 -9
  150. data/modules/mu/{clouds → providers}/google/firewall_rule.rb +3 -3
  151. data/modules/mu/{clouds → providers}/google/folder.rb +5 -9
  152. data/modules/mu/{clouds → providers}/google/function.rb +4 -4
  153. data/modules/mu/{clouds → providers}/google/group.rb +9 -17
  154. data/modules/mu/{clouds → providers}/google/habitat.rb +4 -8
  155. data/modules/mu/{clouds → providers}/google/loadbalancer.rb +2 -2
  156. data/modules/mu/{clouds → providers}/google/role.rb +46 -35
  157. data/modules/mu/{clouds → providers}/google/server.rb +26 -11
  158. data/modules/mu/{clouds → providers}/google/server_pool.rb +11 -11
  159. data/modules/mu/{clouds → providers}/google/user.rb +32 -22
  160. data/modules/mu/{clouds → providers}/google/userdata/README.md +0 -0
  161. data/modules/mu/{clouds → providers}/google/userdata/linux.erb +0 -0
  162. data/modules/mu/{clouds → providers}/google/userdata/windows.erb +0 -0
  163. data/modules/mu/{clouds → providers}/google/vpc.rb +38 -3
  164. data/modules/tests/aws-jobs-functions.yaml +46 -0
  165. data/modules/tests/centos6.yaml +15 -0
  166. data/modules/tests/centos7.yaml +15 -0
  167. data/modules/tests/centos8.yaml +12 -0
  168. data/modules/tests/ecs.yaml +2 -2
  169. data/modules/tests/eks.yaml +1 -1
  170. data/modules/tests/functions/node-function/lambda_function.js +10 -0
  171. data/modules/tests/functions/python-function/lambda_function.py +12 -0
  172. data/modules/tests/microservice_app.yaml +288 -0
  173. data/modules/tests/rds.yaml +108 -0
  174. data/modules/tests/regrooms/rds.yaml +123 -0
  175. data/modules/tests/server-with-scrub-muisms.yaml +1 -1
  176. data/modules/tests/super_complex_bok.yml +2 -2
  177. data/modules/tests/super_simple_bok.yml +2 -2
  178. data/spec/mu/clouds/azure_spec.rb +2 -2
  179. metadata +126 -98
  180. data/modules/mu/clouds/aws/database.rb +0 -1974
  181. data/modules/mu/clouds/aws/endpoint.rb +0 -596
@@ -23,13 +23,37 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
23
23
  include_recipe "mu-tools::aws_api"
24
24
  include_recipe "mu-tools::google_api"
25
25
 
26
+ if node['platform_version'].to_i < 6
27
+ package "policycoreutils"
28
+ elsif node['platform_version'].to_i < 8
29
+ package "policycoreutils-python"
30
+ else
31
+ package "xfsprogs"
32
+ package "xfsprogs-devel"
33
+ package "policycoreutils-python-utils"
34
+ end
26
35
 
27
- %w{ policycoreutils-python authconfig ntp aide }.each do |pkg|
36
+ %w{ authconfig aide }.each do |pkg|
28
37
  package "apply_security package #{pkg}" do
29
38
  package_name pkg
30
39
  end
31
40
  end
32
41
 
42
+ if node['platform_version'].to_i < 8
43
+ package "ntp"
44
+ bash "NTP" do
45
+ user "root"
46
+ code <<-EOH
47
+ chkconfig ntpd on
48
+ ntpdate pool.ntp.org
49
+ service ntpd start
50
+ EOH
51
+ end
52
+ else
53
+ package "chrony"
54
+ service "chronyd"
55
+ end
56
+
33
57
  execute "enable manual auditd restarts" do
34
58
  command "sed -i s/RefuseManualStop=yes/#RefuseManualStop=yes/ /usr/lib/systemd/system/auditd.service ; pkill auditd"
35
59
  ignore_failure true
@@ -60,14 +84,6 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
60
84
  content "set -r autologout 15\n"
61
85
  end
62
86
 
63
- bash "NTP" do
64
- user "root"
65
- code <<-EOH
66
- chkconfig ntpd on
67
- ntpdate pool.ntp.org
68
- service ntpd start
69
- EOH
70
- end
71
87
 
72
88
  #File integrity checking. Default configuration
73
89
  bash "AIDE" do
@@ -252,21 +268,21 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
252
268
  # end
253
269
  # 6.3 Configure PAM
254
270
  # 6.3.2 Set Password Creation Requirement Parameters Using pam_cracklib
255
- template "/etc/pam.d/password-auth-local" do
256
- source "etc_pamd_password-auth.erb"
257
- mode 0644
258
- end
259
- link "/etc/pam.d/password-auth" do
260
- to "/etc/pam.d/password-auth-local"
261
- end
271
+ # template "/etc/pam.d/password-auth-local" do
272
+ # source "etc_pamd_password-auth.erb"
273
+ # mode 0644
274
+ # end
275
+ # link "/etc/pam.d/password-auth" do
276
+ # to "/etc/pam.d/password-auth-local"
277
+ # end
262
278
  #6.3.3 Set Lockout for Failed Password Attempts
263
- template "/etc/pam.d/system-auth-local" do
264
- source "etc_pamd_system-auth.erb"
265
- mode 0644
266
- end
267
- link "/etc/pam.d/system-auth" do
268
- to "/etc/pam.d/system-auth-local"
269
- end
279
+ # template "/etc/pam.d/system-auth-local" do
280
+ # source "etc_pamd_system-auth.erb"
281
+ # mode 0644
282
+ # end
283
+ # link "/etc/pam.d/system-auth" do
284
+ # to "/etc/pam.d/system-auth-local"
285
+ # end
270
286
 
271
287
  #SV-50303r1_rule/SV-50304r1_rule
272
288
  execute "chown root:root /etc/shadow"
@@ -21,3 +21,16 @@ chef_gem "aws-sdk-core" do
21
21
  version "2.11.24"
22
22
  action :install
23
23
  end
24
+
25
+ if platform_family?("rhel") or platform_family?("amazon")
26
+ if node['platform_version'].to_i == 6
27
+ package "python34-pip"
28
+ execute "/usr/bin/pip3 install awscli" do
29
+ not_if "test -x /usr/bin/aws"
30
+ end
31
+ end
32
+ end
33
+
34
+ package "nvme-cli" do
35
+ ignore_failure true
36
+ end
@@ -23,3 +23,7 @@
23
23
  only_if { !get_google_metadata("instance/name").nil? }
24
24
  end
25
25
  }
26
+
27
+ package "nvme-cli" do
28
+ ignore_failure true
29
+ end
@@ -33,7 +33,14 @@ if !node['application_attributes']['skip_recipes'].include?('rsyslog')
33
33
  if platform_family?("rhel") or platform_family?("amazon")
34
34
  $rsyslog_ssl_ca_path = "/etc/pki/Mu_CA.pem"
35
35
  if !platform?("amazon")
36
- package node['platform_version'].to_i < 6 ? "policycoreutils" : "policycoreutils-python"
36
+ semanage_pkg = if node['platform_version'].to_i < 6
37
+ "policycoreutils"
38
+ elsif node['platform_version'].to_i < 8
39
+ "policycoreutils-python"
40
+ else
41
+ "policycoreutils-python-utils"
42
+ end
43
+ package semanage_pkg
37
44
  execute "allow rsyslog to meddle with port 10514" do
38
45
  command "/usr/sbin/semanage port -a -t syslogd_port_t -p tcp 10514"
39
46
  not_if "/usr/sbin/semanage port -l | grep '^syslog.*10514'"
@@ -10,25 +10,43 @@ actions :create # ~FC092
10
10
  default_action :create
11
11
 
12
12
  action :create do
13
- device = new_resource.device
13
+ devicepath = new_resource.device
14
14
  path = new_resource.mountpoint
15
- devicename = device
15
+ devicename = devicepath.dup
16
16
 
17
17
  if set_gcp_cfg_params
18
18
  devicename= devicename.gsub(/.*?\//, "")
19
- device = "/dev/disk/by-id/google-"+devicename
19
+ devicepath = "/dev/disk/by-id/google-"+devicename
20
20
  end
21
21
 
22
- mu_tools_mommacat_request "create #{path}" do
22
+ # if devicename =~ /^\/dev\/(?:sd|xvd)([a-z])/
23
+ # if nvme?
24
+ # map = attached_nvme_disks
25
+ # if map[devicename]
26
+ # devicepath = map[devicename]
27
+ # end
28
+ # end
29
+ # end
30
+
31
+ mu_tools_mommacat_request "create #{devicepath} for #{path}" do
23
32
  request "add_volume"
24
33
  passparams(
25
34
  :dev => devicename,
26
35
  :size => new_resource.size,
27
36
  :delete_on_termination => new_resource.delete_on_termination
28
37
  )
29
- not_if { ::File.exist?(device) }
38
+ not_if { ::File.exist?(real_devicepath(devicepath)) }
30
39
  end
31
40
 
41
+ # if nvme? and device.nil?
42
+ # map = attached_nvme_disks
43
+ # if map[devicename]
44
+ # devicepath = map[devicename]
45
+ # else
46
+ # Chef::Application.fatal!("In NVME mode and attempted to allocate disk #{devicename}, but didn't find it in metadata of any of our NVME block devices (#{map.values.join(", ")})")
47
+ # end
48
+ # end
49
+
32
50
  reboot "Rebooting after adding #{path}" do
33
51
  action :nothing
34
52
  end
@@ -38,7 +56,7 @@ action :create do
38
56
  action :nothing
39
57
  end
40
58
  mount "/mnt#{backupname}" do
41
- device device
59
+ device real_devicepath(devicepath)
42
60
  options "nodev"
43
61
  action :nothing
44
62
  notifies :create, "directory[/mnt#{backupname}]", :before
@@ -51,10 +69,11 @@ action :create do
51
69
  action :nothing
52
70
  end
53
71
 
54
- mkfs_cmd = node['platform_version'].to_i == 6 ? "mkfs.ext4 -F #{device}" : "mkfs.xfs -i size=512 #{device}"
55
- guard_cmd = node['platform_version'].to_i == 6 ? "tune2fs -l #{device} > /dev/null" : "xfs_admin -l #{device} > /dev/null"
72
+ # mkfs_cmd = node['platform_version'].to_i == 6 ? "mkfs.ext4 -F #{real_devicepath(devicepath)}" : "mkfs.xfs -i size=512 #{real_devicepath(devicepath)}"
73
+ # guard_cmd = node['platform_version'].to_i == 6 ? "tune2fs -l #{real_devicepath(devicepath)} > /dev/null" : "xfs_admin -l #{real_devicepath(devicepath)} > /dev/null"
56
74
 
57
- execute mkfs_cmd do
75
+ execute "format #{devicename}" do
76
+ command (node['platform_version'].to_i == 6 ? "mkfs.ext4 -F #{real_devicepath(devicepath)}" : "mkfs.xfs -i size=512 #{real_devicepath(devicepath)}")
58
77
  if new_resource.preserve_data
59
78
  notifies :mount, "mount[/mnt#{backupname}]", :immediately
60
79
  notifies :run, "execute[back up #{backupname}]", :immediately
@@ -63,11 +82,13 @@ action :create do
63
82
  if new_resource.reboot_after_create
64
83
  notifies :request_reboot, "reboot[Rebooting after adding #{path}]", :delayed
65
84
  end
66
- not_if guard_cmd
85
+ retries 5 # sometimes there's a bit of lag
86
+ retry_delay 6
87
+ not_if (node['platform_version'].to_i == 6 ? "tune2fs -l #{real_devicepath(devicepath)} > /dev/null" : "xfs_admin -l #{real_devicepath(devicepath)} > /dev/null")
67
88
  end
68
89
 
69
90
  if !new_resource.reboot_after_create
70
- directory "Ensure existence of #{path} for #{device}" do
91
+ directory "Ensure existence of #{path} for #{real_devicepath(devicepath)}" do
71
92
  recursive true
72
93
  path path
73
94
  end
@@ -78,7 +99,7 @@ action :create do
78
99
  end
79
100
 
80
101
  mount path do
81
- device device
102
+ device real_devicepath(devicepath)
82
103
  options "nodev"
83
104
  action [:mount, :enable]
84
105
  notifies :run, "execute[/sbin/restorecon -R #{path}]", :immediately
@@ -6,6 +6,5 @@ actions :run # ~FC092
6
6
  default_action :run
7
7
 
8
8
  action :run do
9
- params = Base64.urlsafe_encode64(JSON.generate(new_resource.passparams))
10
- mommacat_request(new_resource.request, params)
9
+ mommacat_request(new_resource.request, new_resource.passparams)
11
10
  end
@@ -0,0 +1,215 @@
1
+ # $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
2
+
3
+ # This is the sshd server system-wide configuration file. See
4
+ # sshd_config(5) for more information.
5
+
6
+ # This sshd was compiled with PATH=/usr/local/bin:/usr/bin
7
+
8
+ # The strategy used for options in the default sshd_config shipped with
9
+ # OpenSSH is to specify options with their default value where
10
+ # possible, but leave them commented. Uncommented options override the
11
+ # default value.
12
+
13
+ # If you want to change the port on a SELinux system, you have to tell
14
+ # SELinux about this change.
15
+ # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
16
+ #
17
+ #Port 22
18
+ #AddressFamily any
19
+ #ListenAddress 0.0.0.0
20
+ #ListenAddress ::
21
+
22
+ # The default requires explicit activation of protocol 1
23
+ #Protocol 2
24
+
25
+ # HostKey for protocol version 1
26
+ #HostKey /etc/ssh/ssh_host_key
27
+ # HostKeys for protocol version 2
28
+ HostKey /etc/ssh/ssh_host_rsa_key
29
+ #HostKey /etc/ssh/ssh_host_dsa_key
30
+ HostKey /etc/ssh/ssh_host_ecdsa_key
31
+ HostKey /etc/ssh/ssh_host_ed25519_key
32
+
33
+ # Lifetime and size of ephemeral version 1 server key
34
+ #KeyRegenerationInterval 1h
35
+ #ServerKeyBits 1024
36
+
37
+ # Logging
38
+ # obsoletes QuietMode and FascistLogging
39
+ #SyslogFacility AUTH
40
+ SyslogFacility AUTHPRIV
41
+ LogLevel INFO
42
+
43
+ # Authentication:
44
+
45
+ #LoginGraceTime 2m
46
+ #PermitRootLogin yes
47
+ #StrictModes yes
48
+ MaxAuthTries 4
49
+ #MaxSessions 10
50
+
51
+ #RSAAuthentication yes
52
+ #PubkeyAuthentication yes
53
+
54
+ # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
55
+ # but this is overridden so installations will only check .ssh/authorized_keys
56
+ AuthorizedKeysFile .ssh/authorized_keys
57
+
58
+ #AuthorizedPrincipalsFile none
59
+
60
+ #AuthorizedKeysCommand none
61
+ #AuthorizedKeysCommandUser nobody
62
+
63
+ # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
64
+ #RhostsRSAAuthentication no
65
+ # similar for protocol version 2
66
+ HostbasedAuthentication no
67
+ # Change to yes if you don't trust ~/.ssh/known_hosts for
68
+ # RhostsRSAAuthentication and HostbasedAuthentication
69
+ #IgnoreUserKnownHosts no
70
+ # Don't read the user's ~/.rhosts and ~/.shosts files
71
+ IgnoreRhosts yes
72
+
73
+ # To disable tunneled clear text passwords, change to no here!
74
+ #PasswordAuthentication yes
75
+ PermitEmptyPasswords no
76
+ <% begin
77
+ if node['application_attributes']['sshd_allow_password_auth'] %>
78
+ PasswordAuthentication yes
79
+ <%
80
+ else %>
81
+ PasswordAuthentication no
82
+ <% end
83
+ rescue NoMethodError %>
84
+ PasswordAuthentication no
85
+ <% end %>
86
+
87
+
88
+ # Change to no to disable s/key passwords
89
+ #ChallengeResponseAuthentication yes
90
+ ChallengeResponseAuthentication no
91
+
92
+ # Kerberos options
93
+ #KerberosAuthentication no
94
+ #KerberosOrLocalPasswd yes
95
+ #KerberosTicketCleanup yes
96
+ #KerberosGetAFSToken no
97
+ #KerberosUseKuserok yes
98
+
99
+ # GSSAPI options
100
+ #GSSAPIAuthentication no
101
+ GSSAPIAuthentication yes
102
+ GSSAPICleanupCredentials yes
103
+ #GSSAPIStrictAcceptorCheck yes
104
+ #GSSAPIKeyExchange no
105
+ #GSSAPIEnablek5users no
106
+
107
+ # Set this to 'yes' to enable PAM authentication, account processing,
108
+ # and session processing. If this is enabled, PAM authentication will
109
+ # be allowed through the ChallengeResponseAuthentication and
110
+ # PasswordAuthentication. Depending on your PAM configuration,
111
+ # PAM authentication via ChallengeResponseAuthentication may bypass
112
+ # the setting of "PermitRootLogin without-password".
113
+ # If you just want the PAM account and session checks to run without
114
+ # PAM authentication, then enable this but set PasswordAuthentication
115
+ # and ChallengeResponseAuthentication to 'no'.
116
+ # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
117
+ # problems.
118
+ UsePAM yes
119
+
120
+ # Accept locale-related environment variables
121
+ AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
122
+ AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
123
+ AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
124
+ AcceptEnv XMODIFIERS
125
+
126
+ #AllowAgentForwarding yes
127
+ #AllowTcpForwarding yes
128
+ #GatewayPorts no
129
+ X11Forwarding no
130
+ #X11DisplayOffset 10
131
+ #X11UseLocalhost yes
132
+ #PermitTTY yes
133
+ #PrintMotd yes
134
+ #PrintLastLog yes
135
+ #TCPKeepAlive yes
136
+ #UseLogin no
137
+ UsePrivilegeSeparation sandbox # Default for new installations.
138
+ #PermitUserEnvironment no
139
+ #Compression delayed
140
+ ClientAliveInterval 300
141
+ ClientAliveCountMax 0
142
+ #ShowPatchLevel no
143
+ #UseDNS yes
144
+ #PidFile /var/run/sshd.pid
145
+ #MaxStartups 10:30:100
146
+ #PermitTunnel no
147
+ #ChrootDirectory none
148
+ #VersionAddendum none
149
+
150
+ # no default banner path
151
+ #Banner none
152
+ Banner /etc/issue.net
153
+
154
+ # override default of no subsystems
155
+ Subsystem sftp /usr/libexec/openssh/sftp-server
156
+
157
+ # Example of overriding settings on a per-user basis
158
+ #Match User anoncvs
159
+ # X11Forwarding no
160
+ # AllowTcpForwarding no
161
+ # PermitTTY no
162
+ # ForceCommand cvs server
163
+ PermitRootLogin without-password
164
+ UseDNS no
165
+
166
+ Ciphers aes128-ctr,aes192-ctr,aes256-ctr
167
+
168
+ # If we've set AllowGroups, use that instead of restricting to centos
169
+ <%
170
+ begin
171
+ if !node['application_attributes']['sshd_allow_groups'].empty? %>
172
+ AllowGroups <%= node['application_attributes']['sshd_allow_groups'] %> root
173
+ <%
174
+ else
175
+ %>
176
+ AllowUsers centos root
177
+ <%
178
+ end
179
+ rescue NoMethodError %>
180
+ AllowUsers centos root
181
+ <%
182
+ end
183
+ %>
184
+
185
+ # Support SVN-only servers, while we're at it
186
+ <%
187
+ begin
188
+ if node['application_attributes']['svn_only_group'] %>
189
+ Match Group <%= node['application_attributes']['svn_only_group'] %>
190
+ ForceCommand /usr/bin/svnserve -t
191
+ <%
192
+ end
193
+ rescue NoMethodError
194
+ end
195
+ %>
196
+
197
+ # Support SFTP-only servers, while we're at it
198
+ <%
199
+ begin
200
+ if node['application_attributes']['sftp_only_group'] %>
201
+ Match Group <%= node['application_attributes']['sftp_only_group'] %>
202
+ ForceCommand internal-sftp
203
+ <% begin
204
+ if node['application_attributes']['sftp_chroot'] %>
205
+ ChrootDirectory <%= node['application_attributes']['sftp_chroot'] %>
206
+ <%
207
+ end
208
+ rescue NoMethodError %>
209
+ ChrootDirectory /home/
210
+ <%
211
+ end
212
+ end
213
+ rescue NoMethodError
214
+ end
215
+ %>