From 03ca687bccd7e7c829fcebad44bb222321c6c99a Mon Sep 17 00:00:00 2001 From: Artem Sidorenko Date: Thu, 22 Dec 2016 20:23:53 +0100 Subject: [PATCH] Bugfix: sshd listens on IPv6 interface if enabled Fixes GH-140 --- README.md | 4 +++- attributes/default.rb | 3 --- recipes/server.rb | 11 +++++++++++ spec/recipes/server_spec.rb | 27 +++++++++++++++++++++++++++ 4 files changed, 41 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b47e1a4..34f53da 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ Below you can find the attribute documentation and their default values. * `['ssh-hardening']['ssh']['client']['remote_hosts']` - `[]` - one or more hosts, to which ssh-client can connect to. * `['ssh-hardening']['ssh']['client']['password_authentication']` - `false`. Set to `true` if password authentication should be enabled. * `['ssh-hardening']['ssh']['client']['roaming']` - `false`. Set to `true` if experimental client roaming should be enabled. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled. -* `['ssh-hardening']['ssh']['server']['listen_to']` - one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons! +* `['ssh-hardening']['ssh']['server']['listen_to']` - one or more ip addresses, to which ssh-server should listen to. Default is to listen on all interfaces. It should be configured for security reasons! * `['ssh-hardening']['ssh']['server']['allow_root_with_key']` - `false` to disable root login altogether. Set to `true` to allow root to login via key-based mechanism * `['ssh-hardening']['ssh']['server']['allow_tcp_forwarding']` - `false`. Set to `true` to allow TCP Forwarding * `['ssh-hardening']['ssh']['server']['allow_agent_forwarding']` - `false`. Set to `true` to allow Agent Forwarding @@ -65,6 +65,8 @@ Below you can find the attribute documentation and their default values. * `['ssh-hardening']['ssh']['server']['sftp']['group']` - `sftponly`. Sets the `Match Group` option of SFTP to allow SFTP only for dedicated users * `['ssh-hardening']['ssh']['server']['sftp']['chroot']` - `/home/%u`. Sets the directory where the SFTP user should be chrooted +Notice: Some of attribute defaults of this cookbook are set in the recipes. Its a good idea to use a higher [attribute precedence](https://docs.chef.io/attributes.html#attribute-precedence) level for attribute overriding. Otherwise you might get unexpected results. + ## Usage Add the recipes to the run_list: diff --git a/attributes/default.rb b/attributes/default.rb index c4da0d4..541d7c6 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -58,7 +58,6 @@ default['ssh-hardening']['ssh']['client']['cbc_required'] = false default['ssh-hardening']['ssh']['client']['weak_hmac'] = false default['ssh-hardening']['ssh']['client']['weak_kex'] = false - default['ssh-hardening']['ssh']['client']['remote_hosts'] = [] default['ssh-hardening']['ssh']['client']['password_authentication'] = false # ssh # http://undeadly.org/cgi?action=article&sid=20160114142733 @@ -71,11 +70,9 @@ default['ssh-hardening']['ssh']['server']['cbc_required'] = false default['ssh-hardening']['ssh']['server']['weak_hmac'] = false default['ssh-hardening']['ssh']['server']['weak_kex'] = false -default['ssh-hardening']['ssh']['server']['listen_to'] = ['0.0.0.0'] default['ssh-hardening']['ssh']['server']['host_key_files'] = ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key'] default['ssh-hardening']['ssh']['server']['client_alive_interval'] = 600 # 10min default['ssh-hardening']['ssh']['server']['client_alive_count'] = 3 # ~> 3 x interval - default['ssh-hardening']['ssh']['server']['allow_root_with_key'] = false default['ssh-hardening']['ssh']['server']['allow_tcp_forwarding'] = false default['ssh-hardening']['ssh']['server']['allow_agent_forwarding'] = false diff --git a/recipes/server.rb b/recipes/server.rb index fd0d243..e7bd5a0 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -19,6 +19,17 @@ # limitations under the License. # +# default attributes +# We can not set this kind of defaults in the attribute files +# as we react on value of other attributes +# https://github.com/dev-sec/chef-ssh-hardening/issues/140#issuecomment-267779720 +node.default['ssh-hardening']['ssh']['server']['listen_to'] = + if node['ssh-hardening']['network']['ipv6']['enable'] + ['0.0.0.0', '::'] + else + ['0.0.0.0'] + end + # installs package name package 'openssh-server' do package_name node['ssh-hardening']['sshserver']['package'] diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb index 6c3d58c..e66fbf6 100644 --- a/spec/recipes/server_spec.rb +++ b/spec/recipes/server_spec.rb @@ -410,4 +410,31 @@ with_content(/^ChrootDirectory test_home_dir$/) end end + + context 'with disabled IPv6' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node| + node.normal['ssh-hardening']['network']['ipv6']['enable'] = false + end.converge(described_recipe) + end + + it 'sets proper IPv4 ListenAdress' do + expect(chef_run).to render_file('/etc/ssh/sshd_config'). + with_content(/ListenAddress 0.0.0.0/) + end + end + + context 'with enabled IPv6' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node| + node.normal['ssh-hardening']['network']['ipv6']['enable'] = true + end.converge(described_recipe) + end + + it 'sets proper IPv4 and IPv6 ListenAdress' do + expect(chef_run).to render_file('/etc/ssh/sshd_config'). + with_content(/ListenAddress 0.0.0.0/). + with_content(/ListenAddress ::/) + end + end end