Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the supermarket mailing list.

Select Badges

Select Supported Platforms


ssh-hardening (9) Versions 1.1.0

This cookbook installs and provides secure ssh and sshd configurations.

cookbook 'ssh-hardening', '= 1.1.0'
cookbook 'ssh-hardening', '= 1.1.0', :supermarket
knife cookbook site install ssh-hardening
knife cookbook site download ssh-hardening

ssh-hardening (Chef cookbook)

Supermarket Build Status Code Coverage Dependencies Gitter Chat


This cookbook provides secure ssh-client and ssh-server configurations.


  • Opscode chef


  • Debian 6, 7
  • Ubuntu 12.04, 14.04
  • RHEL 6.4, 6.5, 6.6
  • CentOS 6.4, 6.5, 6.6
  • OracleLinux 6.4, 6.5, 6.6


  • ['network']['ipv6']['enable'] - true if IPv6 is needed
  • ['ssh'][{'client', 'server'}]['cbc_required'] - true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.
  • ['ssh'][{'client', 'server'}]['weak_hmac'] - true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.
  • ['ssh'][{'client', 'server'}]['weak_kex'] - true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.
  • ['ssh']['allow_root_with_key'] - false to disable root login altogether. Set to true to allow root to login via key-based mechanism.
  • ['ssh']['ports'] - ports to which ssh-server should listen to and ssh-client should connect to
  • ['ssh']['listen_to'] - one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!
  • ['ssh']['remote_hosts'] - one or more hosts, to which ssh-client can connect to. Default is empty, but should be configured for security reasons!
  • ['ssh']['allow_tcp_forwarding'] - false to disable TCP Forwarding. Set to true to allow TCP Forwarding
  • ['ssh']['allow_agent_forwarding'] - false to disable Agent Forwarding. Set to true to allow Agent Forwarding
  • ['ssh']['use_pam'] - false to disable pam authentication
  • ['ssh']['print_motd'] - false to disable printing of the MOTD
  • ['ssh']['print_last_log'] - false to disable display of last login information
  • default['ssh']['deny_users'] - [] to configure DenyUsers, if specified login is disallowed for user names that match one of the patterns.
  • default['ssh']['allow_users'] - [] to configure AllowUsers, if specified, login is allowed only for user names that match one of the patterns.
  • default['ssh']['deny_groups'] - [] to configure DenyGroups, if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
  • default['ssh']['allow_groups'] - [] to configure AllowGroups, if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
  • default['ssh']['use_dns'] - nil to configure if sshd should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address.

Data Bags

DEPRECATION WARNING: Support for managing authorized_keys for the root account will be removed from this cookbook in the next major release. Please use alternative cookbooks for that.

This cookbook used to handle authorized keys for the root user, but that support will be removed in the next major release. Use other cookbooks to set up your users.

Old behaviour:

Have users in your data_bag/users/ directory. This cookbook looks for users inside this folder with a ssh_rootkey.


First you have to find out the ssh-key of the user you want to allow. A typical example for this is

cat ~/.ssh/

If that folder doesn't exist or you don't know what this is all about, please read a SSH tutorial for your blend of operating system first.

You can now add this key to the data bag. Example for dada:

Example for data_bags/users/dada.json

  "id" : "dada",
  // ... other stuff ...
  "ssh_rootkey" : "ssh-rsa"

You can then access

ssh dada@yourmachines


Add the recipes to the run_list:


This will install ssh-server and ssh-client. You can alternatively choose only one via:


Configure attributes:

"ssh" : {
  "listen_to" : ""

The default value for listen_to is It is highly recommended to change the value.

Local Testing

For local testing you can use vagrant and Virtualbox of VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See Vagrant Downloads for a vagrant package suitable for your system. For all our tests we use test-kitchen. If you are not familiar with test-kitchen please have a look at their guide.

Next install test-kitchen:

# Install dependencies
gem install bundler
bundle install

# Do lint checks
bundle exec rake lint

# Fetch tests
bundle exec thor kitchen:fetch-remote-tests

# fast test on one machine
bundle exec kitchen test default-ubuntu-1204

# test on all machines
bundle exec kitchen test

# for development
bundle exec kitchen create default-ubuntu-1204
bundle exec kitchen converge default-ubuntu-1204

For more information see test-kitchen

FAQ / Pitfalls

I can't log into my account. I have registered the client key, but it still doesn't let me it.

If you have exhausted all typical issues (firewall, network, key missing, wrong key, account disabled etc.), it may be that your account is locked. The quickest way to find out is to look at the password hash for your user:

sudo grep myuser /etc/shadow

If the hash includes an !, your account is locked:


The proper way to solve this is to unlock the account (passwd -u myuser). If the user doesn't have a password, you should can unlock it via:

usermod -p "*" myuser

Alternatively, if you intend to use PAM, you enabled it via ['ssh']['use_pam'] = true. PAM will allow locked users to get in with keys.

Why doesn't my application connect via SSH anymore?

Always look into log files first and if possible look at the negotation between client and server that is completed when connecting.

We have seen some issues in applications (based on python and ruby) that are due to their use of an outdated crypto set. This collides with this hardening module, which reduced the list of ciphers, message authentication codes (MACs) and key exchange (KEX) algorithms to a more secure selection.

If you find this isn't enough, feel free to activate the attributes cbc_requires for ciphers, weak_hmac for MACs and weak_kexfor KEX in the namespaces ['ssh']['client'] or ['ssh']['server'] based on where you want to support them.

Deprecation Notices

  • node['ssh']['cbc_required'] has been deprecated in favour of node['ssh']['client']['cbc_required'] and node['ssh']['server']['cbc_required'].

  • node['ssh']['weak_hmac'] has been deprecated in favour of node['ssh']['client']['weak_hmac'] and node['ssh']['server']['weak_hmac'].

  • node['ssh']['weak_kex'] has been deprecated in favour of node['ssh']['client']['weak_kex'] and node['ssh']['server']['weak_kex'].

  • The old attributes are still supported but will be removed in the future. In case one of the legacy attributes is set, it still precedes the newly added attributes to allow for backward compatibility.

Contributors + Kudos

This cookbook is mostly based on guides by:

Thanks to all of you!!


See contributor guideline.

License and Author

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

There are no cookbooks that are contingent upon this one.



  • feature: UsePrivilegeSeparation = sandbox for ssh >= 5.9
  • feature: Debian 8 support
  • feature: UseDNS configuration option
  • feature: allow/deny users/groups configuration options
  • feature: MOTD configuration option
  • bugfix: adjust travis to work with chef12/ruby2


  • improvement: reprioritize EtM-based MACs
  • improvement: move SHA1 KEX algos from default to weak profile


  • feature: separate options for server and client configuration
  • feature: add back GCM-based ciphers
  • feature: remove legacy SSHv1 options
  • improvement: add more spec tests
  • bugfix: restart ssh service on changes


  • new attributes node['ssh']['client']['cbc_required'] and node['ssh']['server']['cbc_required'] replace node['ssh']['cbc_required'], which has been deprecated.

  • new attributes node['ssh']['client']['weak_hmac'] and node['ssh']['server']['weak_hmac'] replace node['ssh']['weak_hmac'], which has been deprecated.

  • new attributes node['ssh']['client']['weak_kex'] and node['ssh']['server']['weak_kex'] replace node['ssh']['weak_kex'], which has been deprecated.

  • deprecated: Manging authorized_keys for root via attributes ssh_rootkey and ssh_rootkeys in the users data bag has been deprecated and emits a waning when used. Support will be removed in 2.x.


  • feature: cipher, macs and key exchange algorithms are now correctly detected on ubuntu 12.04+14.04, centos/oracle/redhat 6.4+6.5, debian 6+7
  • feature: UsePAM can now be configured. Locked accounts may not get access via SSH if UsePAM is disabled (which is the default)
  • feature: AllowTcpForwarding is now configurable. It is safe to set it if the user has a login shell anyway
  • improvement: introduced rubocop+foodcritic for linting. As a result, there has been a long list of cleanups and fixes to make this project looking well-rounded again
  • bugfixes: incorrect crypto-configuration on red-hat based systems and debian


  • imported ssh hardening project and updated to current version with full test suite

Foodcritic Metric

1.1.0 failed this metric

FC031: Cookbook without metadata file: /tmp/cook/32b09e06ee423e82bec52acc/ssh-hardening/metadata.rb:1
FC045: Consider setting cookbook name in metadata: /tmp/cook/32b09e06ee423e82bec52acc/ssh-hardening/metadata.rb:1