cloud-mu 3.3.2 → 3.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/cloud-mu.gemspec +3 -3
- data/cookbooks/mu-tools/attributes/default.rb +7 -0
- data/cookbooks/mu-tools/libraries/helper.rb +86 -2
- data/cookbooks/mu-tools/recipes/apply_security.rb +25 -9
- data/cookbooks/mu-tools/recipes/aws_api.rb +4 -0
- data/cookbooks/mu-tools/recipes/google_api.rb +4 -0
- data/cookbooks/mu-tools/recipes/rsyslog.rb +8 -1
- data/cookbooks/mu-tools/resources/disk.rb +33 -12
- data/cookbooks/mu-tools/resources/mommacat_request.rb +1 -2
- data/cookbooks/mu-tools/templates/centos-8/sshd_config.erb +215 -0
- data/extras/clean-stock-amis +10 -2
- data/extras/generate-stock-images +6 -3
- data/extras/image-generators/AWS/centos7.yaml +19 -16
- data/extras/image-generators/AWS/{rhel7.yaml → rhel71.yaml} +0 -0
- data/extras/image-generators/AWS/{win2k12.yaml → win2k12r2.yaml} +0 -0
- data/modules/mommacat.ru +2 -2
- data/modules/mu/cloud/wrappers.rb +16 -7
- data/modules/mu/config/ref.rb +1 -1
- data/modules/mu/defaults/AWS.yaml +96 -96
- data/modules/mu/mommacat.rb +10 -2
- data/modules/mu/mommacat/search.rb +11 -2
- data/modules/mu/mommacat/storage.rb +30 -15
- data/modules/mu/providers/aws.rb +43 -23
- data/modules/mu/providers/aws/database.rb +9 -6
- data/modules/mu/providers/aws/function.rb +8 -5
- data/modules/mu/providers/aws/job.rb +29 -26
- data/modules/mu/providers/aws/role.rb +38 -32
- data/modules/mu/providers/aws/server.rb +58 -51
- data/modules/mu/providers/aws/vpc.rb +3 -0
- data/modules/mu/providers/google.rb +1 -1
- data/modules/mu/providers/google/role.rb +1 -0
- metadata +10 -9
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c0a85c9f70be756955896aaeb1ea32d462178402d4eec97279454337f839fc96
|
4
|
+
data.tar.gz: 3bee42f370ebb5ac6caa2fb52a36ec61d4aae204410a4aed13472cad130e222a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2910888a4c3061b4536bd84d60ec2c6b2b4170043983c603d5ff5b0af22ed43adee32e283e13da844fd949a9761a88c171a1eeb6b2b99bd7a08a93ed1efae772
|
7
|
+
data.tar.gz: 5b6e371475a5768895d5618865d42d5005265fa0810d5bf71e2af93032bb2767e843612ef7ec9e401b7be48dc10827cb3445bd005cdc9e4a8dd088488f30fed7
|
data/cloud-mu.gemspec
CHANGED
@@ -17,8 +17,8 @@ end
|
|
17
17
|
|
18
18
|
Gem::Specification.new do |s|
|
19
19
|
s.name = 'cloud-mu'
|
20
|
-
s.version = '3.
|
21
|
-
s.date = '2020-10-
|
20
|
+
s.version = '3.4.0'
|
21
|
+
s.date = '2020-10-22'
|
22
22
|
s.require_paths = ['modules']
|
23
23
|
s.required_ruby_version = '>= 2.4'
|
24
24
|
s.summary = "The eGTLabs Mu toolkit for unified cloud deployments"
|
@@ -36,7 +36,7 @@ EOF
|
|
36
36
|
'https://github.com/cloudamatic/mu'
|
37
37
|
s.license = 'BSD-3-Clause-Attribution'
|
38
38
|
s.add_runtime_dependency 'addressable', '~> 2.5'
|
39
|
-
s.add_runtime_dependency "aws-sdk
|
39
|
+
s.add_runtime_dependency "aws-sdk", "~> 3.0"
|
40
40
|
s.add_runtime_dependency 'azure_sdk', "~> 0.52"
|
41
41
|
s.add_runtime_dependency 'bundler', "~> 1.17"
|
42
42
|
s.add_runtime_dependency 'chronic_duration', "~> 0.10"
|
@@ -21,6 +21,13 @@ if disk_name_str == "CAP-MASTER" or disk_name_str == "MU-MASTER" and !node['host
|
|
21
21
|
disk_name_str = node['hostname']
|
22
22
|
end rescue NoMethodError
|
23
23
|
|
24
|
+
diskdevs = :xvd
|
25
|
+
if !platform_family?("windows")
|
26
|
+
if default['kernel']['modules'].keys.include?("nvme")
|
27
|
+
diskdevs = :nvme
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
24
31
|
default['os_updates_using_chef'] = false
|
25
32
|
|
26
33
|
default['application_attributes']['application_volume']['mount_directory'] = '/apps'
|
@@ -45,6 +45,70 @@ module Mutools
|
|
45
45
|
nil
|
46
46
|
end
|
47
47
|
|
48
|
+
# Just list our block devices
|
49
|
+
# @return [Array<String>]
|
50
|
+
def list_disk_devices
|
51
|
+
if File.executable?("/bin/lsblk")
|
52
|
+
shell_out(%Q{/bin/lsblk -i -p -r -n | egrep ' disk( |$)'}).stdout.each_line.map { |l|
|
53
|
+
l.chomp.sub(/ .*/, '')
|
54
|
+
}
|
55
|
+
else
|
56
|
+
# XXX something dumber
|
57
|
+
nil
|
58
|
+
end
|
59
|
+
end
|
60
|
+
|
61
|
+
# If we're in AWS and NVME-aware, return a mapping of AWS-side device names
|
62
|
+
# to actual NVME devices.
|
63
|
+
# @return [Hash]
|
64
|
+
def attached_nvme_disks
|
65
|
+
if get_aws_metadata("meta-data/instance-id").nil? or
|
66
|
+
!File.executable?("/bin/lsblk") or !File.executable?("/sbin/nvme")
|
67
|
+
return {}
|
68
|
+
end
|
69
|
+
map = {}
|
70
|
+
devices = list_disk_devices
|
71
|
+
return {} if !devices
|
72
|
+
devices.each { |d|
|
73
|
+
if d =~ /^\/dev\/nvme/
|
74
|
+
shell_out(%Q{/sbin/nvme id-ctrl -v #{d}}).stdout.each_line { |desc|
|
75
|
+
if desc.match(/^0000: (?:[0-9a-f]{2} ){16}"(.+?)\./)
|
76
|
+
virt_dev = Regexp.last_match[1]
|
77
|
+
map[virt_dev] = d
|
78
|
+
if !File.exists?(virt_dev)
|
79
|
+
begin
|
80
|
+
File.symlink(d, virt_dev)
|
81
|
+
rescue Errno::EEXIST # XXX whyyyyy is this needed
|
82
|
+
end
|
83
|
+
end
|
84
|
+
break
|
85
|
+
end
|
86
|
+
}
|
87
|
+
end
|
88
|
+
}
|
89
|
+
map
|
90
|
+
end
|
91
|
+
|
92
|
+
def real_devicepath(dev)
|
93
|
+
map = attached_nvme_disks
|
94
|
+
if map[dev]
|
95
|
+
map[dev]
|
96
|
+
else
|
97
|
+
dev # be nice to actually handle this too
|
98
|
+
end
|
99
|
+
end
|
100
|
+
|
101
|
+
def nvme?
|
102
|
+
if File.executable?("/bin/lsblk")
|
103
|
+
shell_out(%Q{/bin/lsblk -i -p -r -n}).stdout.each_line { |l|
|
104
|
+
return true if l =~ /^\/dev\/nvme\d/
|
105
|
+
}
|
106
|
+
else
|
107
|
+
return true if File.exists?("/dev/nvme0n1")
|
108
|
+
end
|
109
|
+
false
|
110
|
+
end
|
111
|
+
|
48
112
|
@project = nil
|
49
113
|
@authorizer = nil
|
50
114
|
def set_gcp_cfg_params
|
@@ -186,12 +250,12 @@ module Mutools
|
|
186
250
|
if cloud == "AWS"
|
187
251
|
resp = nil
|
188
252
|
begin
|
253
|
+
Chef::Log.info("Fetch deploy secret from s3://#{bucket}/#{filename}")
|
189
254
|
resp = s3.get_object(bucket: bucket, key: filename)
|
190
255
|
rescue ::Aws::S3::Errors::PermanentRedirect => e
|
191
256
|
tmps3 = Aws::S3::Client.new(region: "us-east-1")
|
192
257
|
resp = tmps3.get_object(bucket: bucket, key: filename)
|
193
258
|
end
|
194
|
-
Chef::Log.info("Fetch deploy secret from s3://#{bucket}/#{filename}")
|
195
259
|
secret = resp.body.read
|
196
260
|
elsif cloud == "Google"
|
197
261
|
include_recipe "mu-tools::gcloud"
|
@@ -230,6 +294,7 @@ module Mutools
|
|
230
294
|
end
|
231
295
|
|
232
296
|
def mommacat_request(action, arg)
|
297
|
+
params = Base64.urlsafe_encode64(JSON.generate(arg)) if arg
|
233
298
|
uri = URI("https://#{get_mu_master_ips.first}:2260/")
|
234
299
|
req = Net::HTTP::Post.new(uri)
|
235
300
|
res_type = (node['deployment'].has_key?(:server_pools) and node['deployment']['server_pools'].has_key?(node['service_name'])) ? "server_pool" : "server"
|
@@ -241,6 +306,8 @@ module Mutools
|
|
241
306
|
end
|
242
307
|
|
243
308
|
Chef::Log.info("Sending Momma Cat #{action} request to #{uri} from #{get_aws_metadata("meta-data/instance-id")}")
|
309
|
+
disks_before = list_disk_devices if action == "add_volume"
|
310
|
+
|
244
311
|
req.set_form_data(
|
245
312
|
"mu_id" => mu_get_tag_value("MU-ID"),
|
246
313
|
"mu_resource_name" => node['service_name'],
|
@@ -248,7 +315,7 @@ module Mutools
|
|
248
315
|
"mu_resource_type" => res_type,
|
249
316
|
"mu_user" => node['deployment']['mu_user'] || node['deployment']['chef_user'],
|
250
317
|
"mu_deploy_secret" => secret,
|
251
|
-
action =>
|
318
|
+
action => params
|
252
319
|
)
|
253
320
|
http = Net::HTTP.new(uri.hostname, uri.port)
|
254
321
|
http.use_ssl = true
|
@@ -256,6 +323,23 @@ module Mutools
|
|
256
323
|
response = http.request(req)
|
257
324
|
if response.code != "200"
|
258
325
|
Chef::Log.error("Got #{response.code} back from #{uri} on #{action} => #{arg}")
|
326
|
+
else
|
327
|
+
if action == "add_volume" and arg and arg.is_a?(Hash) and arg[:dev]
|
328
|
+
seen_requested = false
|
329
|
+
retries = 0
|
330
|
+
begin
|
331
|
+
list_disk_devices.each { |d|
|
332
|
+
if d == arg[:dev] or
|
333
|
+
(nvme? and d == attached_nvme_disks[arg[:dev]])
|
334
|
+
seen_requested = true
|
335
|
+
end
|
336
|
+
}
|
337
|
+
if !seen_requested
|
338
|
+
sleep 6
|
339
|
+
retries += 1
|
340
|
+
end
|
341
|
+
end while retries < 5 and !seen_requested
|
342
|
+
end
|
259
343
|
end
|
260
344
|
rescue EOFError => e
|
261
345
|
# Sometimes deployment metadata is incomplete and missing a
|
@@ -23,13 +23,37 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
|
|
23
23
|
include_recipe "mu-tools::aws_api"
|
24
24
|
include_recipe "mu-tools::google_api"
|
25
25
|
|
26
|
+
if node['platform_version'].to_i < 6
|
27
|
+
package "policycoreutils"
|
28
|
+
elsif node['platform_version'].to_i < 8
|
29
|
+
package "policycoreutils-python"
|
30
|
+
else
|
31
|
+
package "xfsprogs"
|
32
|
+
package "xfsprogs-devel"
|
33
|
+
package "policycoreutils-python-utils"
|
34
|
+
end
|
26
35
|
|
27
|
-
%w{
|
36
|
+
%w{ authconfig aide }.each do |pkg|
|
28
37
|
package "apply_security package #{pkg}" do
|
29
38
|
package_name pkg
|
30
39
|
end
|
31
40
|
end
|
32
41
|
|
42
|
+
if node['platform_version'].to_i < 8
|
43
|
+
package "ntp"
|
44
|
+
bash "NTP" do
|
45
|
+
user "root"
|
46
|
+
code <<-EOH
|
47
|
+
chkconfig ntpd on
|
48
|
+
ntpdate pool.ntp.org
|
49
|
+
service ntpd start
|
50
|
+
EOH
|
51
|
+
end
|
52
|
+
else
|
53
|
+
package "chrony"
|
54
|
+
service "chronyd"
|
55
|
+
end
|
56
|
+
|
33
57
|
execute "enable manual auditd restarts" do
|
34
58
|
command "sed -i s/RefuseManualStop=yes/#RefuseManualStop=yes/ /usr/lib/systemd/system/auditd.service ; pkill auditd"
|
35
59
|
ignore_failure true
|
@@ -60,14 +84,6 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
|
|
60
84
|
content "set -r autologout 15\n"
|
61
85
|
end
|
62
86
|
|
63
|
-
bash "NTP" do
|
64
|
-
user "root"
|
65
|
-
code <<-EOH
|
66
|
-
chkconfig ntpd on
|
67
|
-
ntpdate pool.ntp.org
|
68
|
-
service ntpd start
|
69
|
-
EOH
|
70
|
-
end
|
71
87
|
|
72
88
|
#File integrity checking. Default configuration
|
73
89
|
bash "AIDE" do
|
@@ -33,7 +33,14 @@ if !node['application_attributes']['skip_recipes'].include?('rsyslog')
|
|
33
33
|
if platform_family?("rhel") or platform_family?("amazon")
|
34
34
|
$rsyslog_ssl_ca_path = "/etc/pki/Mu_CA.pem"
|
35
35
|
if !platform?("amazon")
|
36
|
-
|
36
|
+
semanage_pkg = if node['platform_version'].to_i < 6
|
37
|
+
"policycoreutils"
|
38
|
+
elsif node['platform_version'].to_i < 8
|
39
|
+
"policycoreutils-python"
|
40
|
+
else
|
41
|
+
"policycoreutils-python-utils"
|
42
|
+
end
|
43
|
+
package semanage_pkg
|
37
44
|
execute "allow rsyslog to meddle with port 10514" do
|
38
45
|
command "/usr/sbin/semanage port -a -t syslogd_port_t -p tcp 10514"
|
39
46
|
not_if "/usr/sbin/semanage port -l | grep '^syslog.*10514'"
|
@@ -10,25 +10,43 @@ actions :create # ~FC092
|
|
10
10
|
default_action :create
|
11
11
|
|
12
12
|
action :create do
|
13
|
-
|
13
|
+
devicepath = new_resource.device
|
14
14
|
path = new_resource.mountpoint
|
15
|
-
devicename =
|
15
|
+
devicename = devicepath.dup
|
16
16
|
|
17
17
|
if set_gcp_cfg_params
|
18
18
|
devicename= devicename.gsub(/.*?\//, "")
|
19
|
-
|
19
|
+
devicepath = "/dev/disk/by-id/google-"+devicename
|
20
20
|
end
|
21
21
|
|
22
|
-
|
22
|
+
# if devicename =~ /^\/dev\/(?:sd|xvd)([a-z])/
|
23
|
+
# if nvme?
|
24
|
+
# map = attached_nvme_disks
|
25
|
+
# if map[devicename]
|
26
|
+
# devicepath = map[devicename]
|
27
|
+
# end
|
28
|
+
# end
|
29
|
+
# end
|
30
|
+
|
31
|
+
mu_tools_mommacat_request "create #{devicepath} for #{path}" do
|
23
32
|
request "add_volume"
|
24
33
|
passparams(
|
25
34
|
:dev => devicename,
|
26
35
|
:size => new_resource.size,
|
27
36
|
:delete_on_termination => new_resource.delete_on_termination
|
28
37
|
)
|
29
|
-
not_if { ::File.exist?(
|
38
|
+
not_if { ::File.exist?(real_devicepath(devicepath)) }
|
30
39
|
end
|
31
40
|
|
41
|
+
# if nvme? and device.nil?
|
42
|
+
# map = attached_nvme_disks
|
43
|
+
# if map[devicename]
|
44
|
+
# devicepath = map[devicename]
|
45
|
+
# else
|
46
|
+
# Chef::Application.fatal!("In NVME mode and attempted to allocate disk #{devicename}, but didn't find it in metadata of any of our NVME block devices (#{map.values.join(", ")})")
|
47
|
+
# end
|
48
|
+
# end
|
49
|
+
|
32
50
|
reboot "Rebooting after adding #{path}" do
|
33
51
|
action :nothing
|
34
52
|
end
|
@@ -38,7 +56,7 @@ action :create do
|
|
38
56
|
action :nothing
|
39
57
|
end
|
40
58
|
mount "/mnt#{backupname}" do
|
41
|
-
device
|
59
|
+
device real_devicepath(devicepath)
|
42
60
|
options "nodev"
|
43
61
|
action :nothing
|
44
62
|
notifies :create, "directory[/mnt#{backupname}]", :before
|
@@ -51,10 +69,11 @@ action :create do
|
|
51
69
|
action :nothing
|
52
70
|
end
|
53
71
|
|
54
|
-
mkfs_cmd = node['platform_version'].to_i == 6 ? "mkfs.ext4 -F #{
|
55
|
-
guard_cmd = node['platform_version'].to_i == 6 ? "tune2fs -l #{
|
72
|
+
# mkfs_cmd = node['platform_version'].to_i == 6 ? "mkfs.ext4 -F #{real_devicepath(devicepath)}" : "mkfs.xfs -i size=512 #{real_devicepath(devicepath)}"
|
73
|
+
# guard_cmd = node['platform_version'].to_i == 6 ? "tune2fs -l #{real_devicepath(devicepath)} > /dev/null" : "xfs_admin -l #{real_devicepath(devicepath)} > /dev/null"
|
56
74
|
|
57
|
-
execute
|
75
|
+
execute "format #{devicename}" do
|
76
|
+
command (node['platform_version'].to_i == 6 ? "mkfs.ext4 -F #{real_devicepath(devicepath)}" : "mkfs.xfs -i size=512 #{real_devicepath(devicepath)}")
|
58
77
|
if new_resource.preserve_data
|
59
78
|
notifies :mount, "mount[/mnt#{backupname}]", :immediately
|
60
79
|
notifies :run, "execute[back up #{backupname}]", :immediately
|
@@ -63,11 +82,13 @@ action :create do
|
|
63
82
|
if new_resource.reboot_after_create
|
64
83
|
notifies :request_reboot, "reboot[Rebooting after adding #{path}]", :delayed
|
65
84
|
end
|
66
|
-
|
85
|
+
retries 5 # sometimes there's a bit of lag
|
86
|
+
retry_delay 6
|
87
|
+
not_if (node['platform_version'].to_i == 6 ? "tune2fs -l #{real_devicepath(devicepath)} > /dev/null" : "xfs_admin -l #{real_devicepath(devicepath)} > /dev/null")
|
67
88
|
end
|
68
89
|
|
69
90
|
if !new_resource.reboot_after_create
|
70
|
-
directory "Ensure existence of #{path} for #{
|
91
|
+
directory "Ensure existence of #{path} for #{real_devicepath(devicepath)}" do
|
71
92
|
recursive true
|
72
93
|
path path
|
73
94
|
end
|
@@ -78,7 +99,7 @@ action :create do
|
|
78
99
|
end
|
79
100
|
|
80
101
|
mount path do
|
81
|
-
device
|
102
|
+
device real_devicepath(devicepath)
|
82
103
|
options "nodev"
|
83
104
|
action [:mount, :enable]
|
84
105
|
notifies :run, "execute[/sbin/restorecon -R #{path}]", :immediately
|
@@ -0,0 +1,215 @@
|
|
1
|
+
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
|
2
|
+
|
3
|
+
# This is the sshd server system-wide configuration file. See
|
4
|
+
# sshd_config(5) for more information.
|
5
|
+
|
6
|
+
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
|
7
|
+
|
8
|
+
# The strategy used for options in the default sshd_config shipped with
|
9
|
+
# OpenSSH is to specify options with their default value where
|
10
|
+
# possible, but leave them commented. Uncommented options override the
|
11
|
+
# default value.
|
12
|
+
|
13
|
+
# If you want to change the port on a SELinux system, you have to tell
|
14
|
+
# SELinux about this change.
|
15
|
+
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
16
|
+
#
|
17
|
+
#Port 22
|
18
|
+
#AddressFamily any
|
19
|
+
#ListenAddress 0.0.0.0
|
20
|
+
#ListenAddress ::
|
21
|
+
|
22
|
+
# The default requires explicit activation of protocol 1
|
23
|
+
#Protocol 2
|
24
|
+
|
25
|
+
# HostKey for protocol version 1
|
26
|
+
#HostKey /etc/ssh/ssh_host_key
|
27
|
+
# HostKeys for protocol version 2
|
28
|
+
HostKey /etc/ssh/ssh_host_rsa_key
|
29
|
+
#HostKey /etc/ssh/ssh_host_dsa_key
|
30
|
+
HostKey /etc/ssh/ssh_host_ecdsa_key
|
31
|
+
HostKey /etc/ssh/ssh_host_ed25519_key
|
32
|
+
|
33
|
+
# Lifetime and size of ephemeral version 1 server key
|
34
|
+
#KeyRegenerationInterval 1h
|
35
|
+
#ServerKeyBits 1024
|
36
|
+
|
37
|
+
# Logging
|
38
|
+
# obsoletes QuietMode and FascistLogging
|
39
|
+
#SyslogFacility AUTH
|
40
|
+
SyslogFacility AUTHPRIV
|
41
|
+
LogLevel INFO
|
42
|
+
|
43
|
+
# Authentication:
|
44
|
+
|
45
|
+
#LoginGraceTime 2m
|
46
|
+
#PermitRootLogin yes
|
47
|
+
#StrictModes yes
|
48
|
+
MaxAuthTries 4
|
49
|
+
#MaxSessions 10
|
50
|
+
|
51
|
+
#RSAAuthentication yes
|
52
|
+
#PubkeyAuthentication yes
|
53
|
+
|
54
|
+
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
55
|
+
# but this is overridden so installations will only check .ssh/authorized_keys
|
56
|
+
AuthorizedKeysFile .ssh/authorized_keys
|
57
|
+
|
58
|
+
#AuthorizedPrincipalsFile none
|
59
|
+
|
60
|
+
#AuthorizedKeysCommand none
|
61
|
+
#AuthorizedKeysCommandUser nobody
|
62
|
+
|
63
|
+
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
64
|
+
#RhostsRSAAuthentication no
|
65
|
+
# similar for protocol version 2
|
66
|
+
HostbasedAuthentication no
|
67
|
+
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
68
|
+
# RhostsRSAAuthentication and HostbasedAuthentication
|
69
|
+
#IgnoreUserKnownHosts no
|
70
|
+
# Don't read the user's ~/.rhosts and ~/.shosts files
|
71
|
+
IgnoreRhosts yes
|
72
|
+
|
73
|
+
# To disable tunneled clear text passwords, change to no here!
|
74
|
+
#PasswordAuthentication yes
|
75
|
+
PermitEmptyPasswords no
|
76
|
+
<% begin
|
77
|
+
if node['application_attributes']['sshd_allow_password_auth'] %>
|
78
|
+
PasswordAuthentication yes
|
79
|
+
<%
|
80
|
+
else %>
|
81
|
+
PasswordAuthentication no
|
82
|
+
<% end
|
83
|
+
rescue NoMethodError %>
|
84
|
+
PasswordAuthentication no
|
85
|
+
<% end %>
|
86
|
+
|
87
|
+
|
88
|
+
# Change to no to disable s/key passwords
|
89
|
+
#ChallengeResponseAuthentication yes
|
90
|
+
ChallengeResponseAuthentication no
|
91
|
+
|
92
|
+
# Kerberos options
|
93
|
+
#KerberosAuthentication no
|
94
|
+
#KerberosOrLocalPasswd yes
|
95
|
+
#KerberosTicketCleanup yes
|
96
|
+
#KerberosGetAFSToken no
|
97
|
+
#KerberosUseKuserok yes
|
98
|
+
|
99
|
+
# GSSAPI options
|
100
|
+
#GSSAPIAuthentication no
|
101
|
+
GSSAPIAuthentication yes
|
102
|
+
GSSAPICleanupCredentials yes
|
103
|
+
#GSSAPIStrictAcceptorCheck yes
|
104
|
+
#GSSAPIKeyExchange no
|
105
|
+
#GSSAPIEnablek5users no
|
106
|
+
|
107
|
+
# Set this to 'yes' to enable PAM authentication, account processing,
|
108
|
+
# and session processing. If this is enabled, PAM authentication will
|
109
|
+
# be allowed through the ChallengeResponseAuthentication and
|
110
|
+
# PasswordAuthentication. Depending on your PAM configuration,
|
111
|
+
# PAM authentication via ChallengeResponseAuthentication may bypass
|
112
|
+
# the setting of "PermitRootLogin without-password".
|
113
|
+
# If you just want the PAM account and session checks to run without
|
114
|
+
# PAM authentication, then enable this but set PasswordAuthentication
|
115
|
+
# and ChallengeResponseAuthentication to 'no'.
|
116
|
+
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
|
117
|
+
# problems.
|
118
|
+
UsePAM yes
|
119
|
+
|
120
|
+
# Accept locale-related environment variables
|
121
|
+
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
122
|
+
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
123
|
+
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
124
|
+
AcceptEnv XMODIFIERS
|
125
|
+
|
126
|
+
#AllowAgentForwarding yes
|
127
|
+
#AllowTcpForwarding yes
|
128
|
+
#GatewayPorts no
|
129
|
+
X11Forwarding no
|
130
|
+
#X11DisplayOffset 10
|
131
|
+
#X11UseLocalhost yes
|
132
|
+
#PermitTTY yes
|
133
|
+
#PrintMotd yes
|
134
|
+
#PrintLastLog yes
|
135
|
+
#TCPKeepAlive yes
|
136
|
+
#UseLogin no
|
137
|
+
UsePrivilegeSeparation sandbox # Default for new installations.
|
138
|
+
#PermitUserEnvironment no
|
139
|
+
#Compression delayed
|
140
|
+
ClientAliveInterval 300
|
141
|
+
ClientAliveCountMax 0
|
142
|
+
#ShowPatchLevel no
|
143
|
+
#UseDNS yes
|
144
|
+
#PidFile /var/run/sshd.pid
|
145
|
+
#MaxStartups 10:30:100
|
146
|
+
#PermitTunnel no
|
147
|
+
#ChrootDirectory none
|
148
|
+
#VersionAddendum none
|
149
|
+
|
150
|
+
# no default banner path
|
151
|
+
#Banner none
|
152
|
+
Banner /etc/issue.net
|
153
|
+
|
154
|
+
# override default of no subsystems
|
155
|
+
Subsystem sftp /usr/libexec/openssh/sftp-server
|
156
|
+
|
157
|
+
# Example of overriding settings on a per-user basis
|
158
|
+
#Match User anoncvs
|
159
|
+
# X11Forwarding no
|
160
|
+
# AllowTcpForwarding no
|
161
|
+
# PermitTTY no
|
162
|
+
# ForceCommand cvs server
|
163
|
+
PermitRootLogin without-password
|
164
|
+
UseDNS no
|
165
|
+
|
166
|
+
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
|
167
|
+
|
168
|
+
# If we've set AllowGroups, use that instead of restricting to centos
|
169
|
+
<%
|
170
|
+
begin
|
171
|
+
if !node['application_attributes']['sshd_allow_groups'].empty? %>
|
172
|
+
AllowGroups <%= node['application_attributes']['sshd_allow_groups'] %> root
|
173
|
+
<%
|
174
|
+
else
|
175
|
+
%>
|
176
|
+
AllowUsers centos root
|
177
|
+
<%
|
178
|
+
end
|
179
|
+
rescue NoMethodError %>
|
180
|
+
AllowUsers centos root
|
181
|
+
<%
|
182
|
+
end
|
183
|
+
%>
|
184
|
+
|
185
|
+
# Support SVN-only servers, while we're at it
|
186
|
+
<%
|
187
|
+
begin
|
188
|
+
if node['application_attributes']['svn_only_group'] %>
|
189
|
+
Match Group <%= node['application_attributes']['svn_only_group'] %>
|
190
|
+
ForceCommand /usr/bin/svnserve -t
|
191
|
+
<%
|
192
|
+
end
|
193
|
+
rescue NoMethodError
|
194
|
+
end
|
195
|
+
%>
|
196
|
+
|
197
|
+
# Support SFTP-only servers, while we're at it
|
198
|
+
<%
|
199
|
+
begin
|
200
|
+
if node['application_attributes']['sftp_only_group'] %>
|
201
|
+
Match Group <%= node['application_attributes']['sftp_only_group'] %>
|
202
|
+
ForceCommand internal-sftp
|
203
|
+
<% begin
|
204
|
+
if node['application_attributes']['sftp_chroot'] %>
|
205
|
+
ChrootDirectory <%= node['application_attributes']['sftp_chroot'] %>
|
206
|
+
<%
|
207
|
+
end
|
208
|
+
rescue NoMethodError %>
|
209
|
+
ChrootDirectory /home/
|
210
|
+
<%
|
211
|
+
end
|
212
|
+
end
|
213
|
+
rescue NoMethodError
|
214
|
+
end
|
215
|
+
%>
|