New Supermarket Announcements!

The Chef Community Cookbooks Survey

We would love to know more about what you think about community cookbooks and are runnning a quick survey. This will help us understand the role they play in your use of Chef. As a community member, you are invited to participate. You have a unique understanding of the role community cookbooks have in your work, and we value your opinion. Most people take about 5 minutes to complete this survey. There are no right or wrong answers; we are interested in your opinions.
Chef Community Cookbooks Survey

Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the supermarket mailing list or in Gitter.

Select Supported Platforms

RSS

openssh (13) Versions 1.4.0

Installs openssh

Berkshelf
Librarian
Knife
cookbook 'openssh', '~> 1.4.0'
cookbook 'openssh', '~> 1.4.0'
knife cookbook site install openssh
knife cookbook site download openssh
README
Dependencies
Changelog
Foodcritic

openssh Cookbook

Build Status

Installs and configures OpenSSH daemon.

Requirements

Platforms

  • Debian/Ubuntu
  • RHEL/CentOS/Scientific
  • Fedora
  • ArchLinux
  • FreeBSD

Recipes

default

Selects the packages to install by package name and manages the sshd service.

iptables

Set up an iptables firewall rule to allow inbound SSH connections.

Usage

Ensure that the openssh packages are installed and the service is managed with recipe[openssh].

Attributes List

The attributes list is dynamically generated, and lines up with the default openssh configs.

This means anything located in sshd_config or ssh_config can be used in your node attributes.

  • If the option can be entered more then once, use an Array, otherwise, use a String. If the option is host-specific use a Hash (please see below for more details).
  • Each attribute is stored as ruby case, and converted to camel case for the config file on the fly.
  • The current default attributes match the stock ssh_config and sshd_config provided by openssh.
  • The namespace for sshd_config is node['openssh']['server'].
  • Likewise, the namespace for ssh_config is node['openssh']['client'].
  • An attribute can be an Array, a Hash or a String.
  • If it is an Array, each item in the array will get it's own line in the config file.
  • Hash attributes are meant to used with ssh_config namespace to create host-specific configurations. The keys of the Hash will be used as the Host entries and their associated entries as the configuration values.
  • All the values in openssh are commented out in the attributes/default.rb file for a base starting point.
  • There is one special attribute name, which is match. This is not included in the default template like the others. node['openssh']['server']['match'] must be a Hash, where the key is the match pattern criteria and the value should be a Hash of normal keywords and values. The same transformations listed above apply to these keywords. See examples below.

Dynamic ListenAddress

Pass in a Hash of interface names, and IP address type(s) to bind sshd to. This will expand to a list of IP addresses which override the default node['openssh']['server']['listen_address'] value.

Examples and Common usage

These can be mixed and matched in roles and attributes. Please note, it is possible to get sshd into a state that it will not run. If this is the case, you will need to login via an alternate method and debug sshd like normal.

No Password logins

This requires use of identity files to connect

"openssh": {
  "server": {
    "password_authentication": "no"
  }
}

Match

"openssh": {
  "server": {
    "match": {
      "Address 192.168.1.0/24": {
        "password_authentication": "yes"
      },
      "Group admins": {
        "permit_tunnel": "yes",
        "max_sessions": "20"
      }
    }
  }
}

Enable X Forwarding

"openssh": {
  "server": {
    "x11_forwarding": "yes"
  }
}

Bind to a specific set of address (this example actually binds to all).

Not to be used with node['openssh']['listen_interfaces'].

"openssh": {
  "server": {
    "address_family": "any",
      "listen_address": [ "192.168.0.1", "::" ]
    }
  }
}

Bind to the addresses tied to a set of interfaces.

"openssh": {
  "listen_interfaces": {
    "eth0": "inet",
    "eth1": "inet6"
  }
}

Host-specific configurations with hashes.

You can use a Hash with node['openssh']['client'] to configure different values for different hosts.

"client": {
  "*": {
    "g_s_s_a_p_i_authentication": "yes",
    "send_env": "LANG LC_*",
    "hash_known_hosts": "yes"
  },
  "localhost": {
    "user_known_hosts_file": "/dev/null",
    "strict_host_key_checking": "no"
  },
  "127.0.0.1": {
    "user_known_hosts_file": "/dev/null",
    "strict_host_key_checking": "no"
  },
  "other*": {
    "user_known_hosts_file": "/dev/null",
    "strict_host_key_checking": "no"
  }
}

The keys are used as values with the Host entries. So, the configuration fragment shown above generates:

Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
Host localhost
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
Host 127.0.0.1
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
Host other*
StrictHostKeyChecking no
UserKnownHostsFile /dev/null

License & Authors

Copyright:: 2008-2015, Chef Software, Inc

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

iptables >= 0.0.0

Contingent cookbooks

amoeba_basenode Applicable Versions
duo-unix Applicable Versions
gitlab Applicable Versions
gitlab-shell Applicable Versions
gitlabhq Applicable Versions
google-authenticator Applicable Versions
linux-basic Applicable Versions
nmdbase Applicable Versions
openldap Applicable Versions
openssh-lpk Applicable Versions
platformstack Applicable Versions
sftp Applicable Versions
sparkleshare Applicable Versions
ut_base Applicable Versions
zenoss Applicable Versions

openssh Cookbook CHANGELOG

This file is used to list changes made in each version of the openssh cookbook.

1.4.0 (2015-05-01)

  • #42 - Fixed support for SmartOS
  • #46 - Correct ArchLinux service name
  • #43 - Correct OpenSSH server package name on RHEL, Fedora
  • #31 - Allow included iptables rule to use the same port number if defined in attributes.
  • #41 - Fix default recipe order
  • #47 - Fix up iptables rule
  • #49 - Fixed the print_last_log attribute in the Readme
  • Updated Test Kitchen config with all supported platforms
  • Updated Test Kitchen / Foodcritic / Rubocop / Berkshelf depedencies in the Gemfile
  • Replaced Travis Ruby 1.9.3/2.0.0 testing with 2.1.5/2.2.0
  • Resolved all Rubocop warnings

v1.3.4 (2014-04-23)

  • [COOK-4576] - No way to override AuthorizedKeysFile
  • [COOK-4584] - Use Upstart on Ubuntu 12.04
  • [COOK-4585] - skip match block in template if empty or unset
  • [COOK-4586] OpenSSH Gentoo support

v1.3.2

Bug

  • COOK-3995 - sshd_config template needs ordering
  • COOK-3910 - ssh fails to start in Ubuntu 13.10
  • COOK-2073 - Add support for Match block

v1.3.0

Improvement

Bug

v1.2.2

Bug

  • COOK-3304 - Fix error setting Dynamic ListenAddresses

v1.2.0

Improvement

  • [COOK-2647]: port_ssh iptables template has no corresponding recipe

v1.1.4

  • [COOK-2225] - Add platform_family suse

v1.1.2

  • [COOK-1954] - Fix attribute camel case to match man sshd_config
  • [COOK-1889] - SSH restarting on each chef run due to template changes

v1.1.0

  • [COOK-1663] - Configurable ListenAddress based off list of interface names
  • [COOK-1685] - Make default sshd_config value more robust

v1.0.0

  • [COOK-1014] - Templates for ssh(d).conf files.

v0.8.1

  • Current public release

1.4.0 passed Foodcritic.