cookbook 'ssh-hardening', '= 2.8.0'
ssh-hardening
(20) Versions
2.8.0
-
Follow38
This cookbook installs and provides secure ssh and sshd configurations.
cookbook 'ssh-hardening', '= 2.8.0', :supermarket
knife supermarket install ssh-hardening
knife supermarket download ssh-hardening
ssh-hardening (Chef cookbook)
Description
This cookbook provides secure ssh-client and ssh-server configurations. This cookbook does not provide capabilities for management of users and/or ssh keys, please use other cookbooks for that.
Requirements
- Chef >= 14.13.11
Platform
- Debian 8, 9, 10
- Ubuntu 16.04, 18.04
- RHEL 6, 7
- CentOS 6, 7
- Oracle Linux 6, 7
- Fedora 29, 30
- OpenSuse Leap 42
- Amazon Linux 1, 2
Attributes
Below you can find the attribute documentation and their default values.
Notice: Some of attribute defaults of this cookbook are set in the recipes. You should use a higher attribute precedence level for overriding of such attributes. Such attributes are flagged with #override attribute#
in the list below. Example for overriding a such attribute:
override['ssh-hardening']['ssh']['server']['listen_to'] = node['ipaddress']
-
['ssh-hardening']['network']['ipv6']['enable']
-false
. Set to true if IPv6 is needed -
['ssh-hardening']['ssh']['ports']
-22
. Ports to which ssh-server should listen to and ssh-client should connect to -
['ssh-hardening']['ssh'][{'client', 'server'}]['kex']
-nil
to calculate best key-exchange (KEX) based on server version, otherwise specify a string of Kex values -
['ssh-hardening']['ssh'][{'client', 'server'}]['mac']
-nil
to calculate best Message Authentication Codes (MACs) based on server version, otherwise specify a string of Mac values -
['ssh-hardening']['ssh'][{'client', 'server'}]['cipher']
-nil
to calculate best ciphers based on server version, otherwise specify a string of Cipher values -
['ssh-hardening']['ssh'][{'client', 'server'}]['cbc_required']
-false
. Set totrue
if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available. -
['ssh-hardening']['ssh'][{'client', 'server'}]['weak_hmac']
-false
. Set totrue
if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. -
['ssh-hardening']['ssh'][{'client', 'server'}]['weak_kex']
-false
. Set totrue
if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled. -
['ssh-hardening']['ssh']['client']['remote_hosts']
-[]
- one or more hosts, to which ssh-client can connect to. -
['ssh-hardening']['ssh']['client']['password_authentication']
-false
. Set totrue
if password authentication should be enabled. -
['ssh-hardening']['ssh']['client']['roaming']
-false
. Set totrue
if experimental client roaming should be enabled. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled. -
['ssh-hardening']['ssh']['client']['extras']
-{}
. Add extra configuration options, see below for details -
['ssh-hardening']['ssh']['server']['host_key_files']
-nil
to calculate best hostkey configuration based on server version, otherwise specify an array with file paths (e.g./etc/ssh/ssh_host_rsa_key
) -
['ssh-hardening']['ssh']['server']['dh_min_prime_size']
-2048
- Minimal acceptable prime length in bits in/etc/ssh/moduli
. Primes below this number will get removed. (See this for more information and background) -
['ssh-hardening']['ssh']['server']['dh_build_primes']
-false
- If own primes should be built. This rebuild happens only once and takes a lot of time (~ 1.5 - 2h on the modern hardware for 4096 length). -
['ssh-hardening']['ssh']['server']['dh_build_primes_size']
-4096
- Prime length which should be generated. This option is only valid ifdh_build_primes
is enabled. -
['ssh-hardening']['ssh']['server']['listen_to']
#override attribute#
- one or more ip addresses, to which ssh-server should listen to. Default is to listen on all interfaces. It should be configured for security reasons! -
['ssh-hardening']['ssh']['server']['allow_root_with_key']
-false
to disable root login altogether. Set totrue
to allow root to login via key-based mechanism -
['ssh-hardening']['ssh']['server']['allow_tcp_forwarding']
-false
. Set totrue
to allow TCP Forwarding -
['ssh-hardening']['ssh']['server']['allow_agent_forwarding']
-false
. Set totrue
to allow Agent Forwarding -
['ssh-hardening']['ssh']['server']['allow_x11_forwarding']
-false
. Set totrue
to allow X11 Forwarding -
['ssh-hardening']['ssh']['server']['permit_tunnel']
-false
to disable tun device forwarding. Set totrue
to allow tun device forwarding. Other accepted values: 'yes', 'no', 'point-to-point', 'ethernet'. Seeman sshd_config
for exact behaviors. Note: you'll also need to enableallow_tcp_forwarding
. -
['ssh-hardening']['ssh']['server']['use_pam']
-true
. Set tofalse
to disable the pam authentication of sshd -
['ssh-hardening']['ssh']['server']['challenge_response_authentication']
-false
. Set totrue
to enable challenge response authentication. -
['ssh-hardening']['ssh']['server']['deny_users']
-[]
to configureDenyUsers
, if specified login is disallowed for user names that match one of the patterns. -
['ssh-hardening']['ssh']['server']['allow_users']
-[]
to configureAllowUsers
, if specified, login is allowed only for user names that match one of the patterns. -
['ssh-hardening']['ssh']['server']['deny_groups']
-[]
to configureDenyGroups
, if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns. -
['ssh-hardening']['ssh']['server']['allow_groups']
-[]
to configureAllowGroups
, if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. -
['ssh-hardening']['ssh']['server']['print_motd']
-false
. Set totrue
to enable printing of the MOTD -
['ssh-hardening']['ssh']['server']['print_last_log']
-false
. Set totrue
to enable printing of last login information -
['ssh-hardening']['ssh']['server']['banner']
-nil
. Set a path like '/etc/issue.net' to enable the banner -
['ssh-hardening']['ssh']['server']['os_banner']
-false
to disable version information during the protocol handshake (debian family only). Set totrue
to enable it -
['ssh-hardening']['ssh']['server']['use_dns']
-nil
to use the openssh default. Set totrue
orfalse
to enable/disable the DNS lookup and check of remote host -
['ssh-hardening']['ssh']['server']['use_privilege_separation']
-nil
to calculate the best value based on server version, otherwise settrue
orfalse
-
['ssh-hardening']['ssh']['server']['login_grace_time']
-30s
. Time in which the login should be successfully, otherwise the user is disconnected. -
['ssh-hardening']['ssh']['server']['max_auth_tries']
-2
. The number of authentication attempts per connection -
['ssh-hardening']['ssh']['server']['max_sessions']
-10
The number of sessions per connection -
['ssh-hardening']['ssh']['server']['password_authentication']
-false
. Set totrue
if password authentication should be enabled -
['ssh-hardening']['ssh']['server']['log_level']
-verbose
. The log level of sshd. SeeLogLevel
inman 5 sshd_config
for possible values. -
['ssh-hardening']['ssh']['server']['sftp']['enable']
-false
. Set totrue
to enable the SFTP feature of OpenSSH daemon -
['ssh-hardening']['ssh']['server']['sftp']['group']
-sftponly
. Sets theMatch Group
option of SFTP to allow SFTP only for dedicated users -
['ssh-hardening']['ssh']['server']['sftp']['chroot']
-/home/%u
. Sets the directory where the SFTP user should be chrooted -
['ssh-hardening']['ssh']['server']['sftp']['password_authentication']
-false
. Set totrue
if password authentication should be enabled -
['ssh-hardening']['ssh']['server']['authorized_keys_path']
-nil
. If not nil, full path to an authorized keys folder is expected -
['ssh-hardening']['ssh']['server']['extras']
-{}
. Add extra configuration options, see below for details -
['ssh-hardening']['ssh']['server']['match_blocks']
-{}
. Match configuration block, see below for details
Usage
Add the recipes to the run_list:
"recipe[ssh-hardening]"
This will install ssh-server and ssh-client. You can alternatively choose only one via:
"recipe[ssh-hardening::server]"
"recipe[ssh-hardening::client]"
Configure attributes:
"ssh-hardening": {
"ssh" : {
"server" : {
"listen_to" : "10.2.3.4"
}
}
}
The default value for listen_to
is 0.0.0.0
. It is highly recommended to change the value.
SFTP
To enable the SFTP configuration add one of the following recipes to the run_list:
"recipe[ssh-hardening]"
or
"recipe[ssh-hardening::server]"
Configure attributes:
"ssh-hardening": {
"ssh" : {
"server": {
"sftp" : {
"enable" : true,
"chroot" : "/home/sftp/%u",
"group" : "sftusers"
}
}
}
}
This will enable the SFTP Server and chroot every user in the sftpusers
group to the /home/sftp/%u
directory.
Extra Configuration Options
Extra configuration options can be appended to the client or server configuration files. This can be used to override statically set values, or add configuration options not otherwise available via attributes.
The syntax is as follows:
```
=> Extra Server Configuration
default['ssh-hardening']['ssh']['server']['extras'].tap do |extra|
extra['#Some Comment'] = 'Heres the Comment'
extra['AuthenticationMethods'] = 'publickey,keyboard-interactive'
end
=> Extra Client Configuration
default['ssh-hardening']['ssh']['client']['extras'].tap do |extra|
extra['PermitLocalCommand'] = 'no'
extra['Tunnel'] = 'no'
end
```
Match Configuration Options for sshd
Match blocks have to be placed by the end of sshd_config. This can be achieved by using the match_blocks
attribute tree:
default['ssh-hardening']['ssh']['server']['match_blocks'].tap do |match|
match['User root'] = <<~ROOT
AuthorizedKeysFile .ssh/authorized_keys
ROOT
match['User git'] = <<~GIT
Banner none
AuthorizedKeysCommand /bin/false
AuthorizedKeysFile .ssh/authorized_keys
GSSAPIAuthentication no
PasswordAuthentication no
GIT
end
Local Testing
Please install chef-dk, VirtualBox or VMware Workstation and Vagrant.
Linting is checked with rubocop and foodcritic:
$ chef exec rake lint .....
Unit/spec tests are done with chefspec:
$ chef exec rake spec .....
Integration tests are done with test-kitchen and inspec:
$ chef exec rake kitchen ..... # or you can use the kitchen directly $ kitchen test
FAQ / Pitfalls
I can't log into my account. I have registered the client key, but it still doesn't let me it.
If you have exhausted all typical issues (firewall, network, key missing, wrong key, account disabled etc.), it may be that your account is locked. The quickest way to find out is to look at the password hash for your user:
sudo grep myuser /etc/shadow
If the hash includes an !
, your account is locked:
myuser:!:16280:7:60:7:::
The proper way to solve this is to unlock the account (passwd -u myuser
). If the user doesn't have a password, you should can unlock it via:
usermod -p "*" myuser
Alternatively, if you intend to use PAM, you enabled it via ['ssh-hardening']['ssh']['use_pam'] = true
. PAM will allow locked users to get in with keys.
Why doesn't my application connect via SSH anymore?
Always look into log files first and if possible look at the negotation between client and server that is completed when connecting.
We have seen some issues in applications (based on python and ruby) that are due to their use of an outdated crypto set. This collides with this hardening module, which reduced the list of ciphers, message authentication codes (MACs) and key exchange (KEX) algorithms to a more secure selection.
If you find this isn't enough, feel free to activate the attributes cbc_requires
for ciphers, weak_hmac
for MACs and weak_kex
for KEX in the namespaces ['ssh-hardening']['ssh']['client']
or ['ssh-hardening']['ssh']['server']
based on where you want to support them.
Why can't I log to the SFTP server after I added a user to my SFTP group?
This is a ChrootDirectory ownership problem. sshd will reject SFTP connections to accounts that are set to chroot into any directory that has ownership/permissions that sshd considers insecure. sshd's strict ownership/permissions requirements dictate that every directory in the chroot path must be owned by root and only writable by the owner. So, for example, if the chroot environment is /home must be owned by root.
See https://wiki.archlinux.org/index.php/SFTP_chroot
Contributors + Kudos
- Dominik Richter arlimus
- Christoph Hartmann chris-rock
- Bernhard Weisshuhn (a.k.a. bernhorst) bkw
- Patrick Munch atomic111
- Edmund Haselwanter ehaselwanter
- Dana Merrick dmerrick
- Anton Rieder aried3r
- Trent Petersen Rockstar04
- Petri Sirkkala sirkkalap
- Jan Klare jklare
- Zac Hallett zhallett
- Petri Sirkkala sirkkalap
- stribika
This cookbook is mostly based on guides by:
- NSA: Guide to the Secure Configuration of Red Hat Enterprise Linux 5
- Deutsche Telekom, Group IT Security, Security Requirements (German)
Thanks to all of you!!
Contributing
See [contributor guideline](CONTRIBUTING.md).
License and Author
- Author:: Dominik Richter dominik.richter@googlemail.com
- Author:: Deutsche Telekom AG
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
Change Log
v2.8.0 (2019-07-17)
Merged pull requests:
- Support of custom match configuration blocks #221 (artem-sidorenko)
- Enable CI testing of Debian 10 #220 (artem-sidorenko)
- Updating supported fedora versions and include Fedora 30 #219 (artem-sidorenko)
- Removal of Ubuntu 14.04 because of EOL #218 (artem-sidorenko)
- Switching testing to chef 14&15 #217 (artem-sidorenko)
- Tests: update of gems #213 (artem-sidorenko)
- Tests: try to use SoloRunner instead of ServerRunner #212 (artem-sidorenko)
v2.7.0 (2018-11-21)
Merged pull requests:
- permit_tunnel attribute - allow tun device forwarding #211 (bobchaos)
- Update the CI settings #207 (artem-sidorenko)
- Update issue templates #206 (rndmh3ro)
v2.6.0 (2018-10-19)
Closed issues:
- Removal of deprecated options #202
Merged pull requests:
- Update of badges in README #205 (artem-sidorenko)
- Removal of deprecated options for newer openssh versions #203 (artem-sidorenko)
v2.5.0 (2018-10-10)
Closed issues:
- Change log level for SFTP Subsystem #199
Merged pull requests:
- CI fix: pin cucumber 3 #201 (artem-sidorenko)
- Add attribute for sftp subsystem logging #200 (rediculum)
v2.4.0 (2018-08-01)
Closed issues:
- Errors on Ubuntu 18.04 #195
Merged pull requests:
- Avoid some deprecated options for OpenSSH >=7.6 #198 (artem-sidorenko)
- Update of tests and supported distros and chef versions #197 (artem-sidorenko)
- Update of CI and test environment #196 (artem-sidorenko)
- Make ForwardAgent configurable for Client Configuration #193 (kabakakao)
- minor update to the template #192 (crashdummymch)
- amazonlinux support #188 (chris-rock)
v2.3.1 (2018-02-13)
Merged pull requests:
v2.3.0 (2017-12-19)
Closed issues:
Merged pull requests:
- remove ripemd from MAC list #186 (atomic111)
- Allow password authentification for sftp #184 (avanier)
- Fix Extra Configuration #183 (bdwyertech)
v2.2.1 (2017-08-22)
Closed issues:
- The cookbooks fails on Amazon Linux. #180
Merged pull requests:
- Fix to Issue #180. Cookbook fails on Amazon Linux #181 (jonasduarte)
v2.2.0 (2017-06-18)
Closed issues:
Merged pull requests:
- Running rubocop in the 2.1 mode #179 (artem-sidorenko)
- CI: update to ruby 2.4.1 and gem update #178 (artem-sidorenko)
- CI, Harmonization of tests, Testing of Chef 13 and Chef 12 #176 (artem-sidorenko)
- CI: removal of EOL distros from testing and support #175 (artem-sidorenko)
v2.1.0 (2017-04-19)
Implemented enhancements:
- Suse support missing in metadata #170
Merged pull requests:
- Add Support for Extra Configuration Options #173 (bdwyertech)
- Authorized keys custom path #172 (lubomir-kacalek)
- Add suse to the supported list in metadata #171 (artem-sidorenko)
- Removal of apt/yum cookbooks from tests #169 (artem-sidorenko)
v2.0.0 (2017-02-06)
Implemented enhancements:
- Send and Accept locale environment variables #167 (mikemoate)
- Removal of DSA key from defaults #161 (artem-sidorenko)
- Allow log level configuration of sshd #159 (artem-sidorenko)
- Split the attribues to the client and server areas #150 (artem-sidorenko)
- Attribute namespace ['ssh-hardening'] added #144 (artem-sidorenko)
- Add node attributes to override KEX, MAC and cipher values #141 (bazbremner)
- Use different algorithms depending on the ssh version #166 (artem-sidorenko)
- Avoid small primes for DH and allow rebuild of DH primes #163 (artem-sidorenko)
- Switch UsePAM default to yes #157 (artem-sidorenko)
Fixed bugs:
- IPv6 is not working still if its enabled #140
Closed issues:
- Possibly missing locale handling #160
- Verify the current crypto settings #162
- Error message about DSA key on RHEL 7 #158
- Attributes should be in the own namespace ssh-hardening #142
- Move entire crypto parameter configuration in tests to the centralized place #137
- Move UsePrivilegeSeparation.get to the new library #136
- Release 2.0.0 #133
- configure log level #117
- UsePAM should probably default to yes on Red Hat Linux 7 #96
- refactor library kex and cipher implementation #87
- prohibit use of weak dh moduli #65
- Harmonize API #53
- SSH rootkey configuration is too open #16
Merged pull requests:
- Add oracle bento boxes to vagrant testing #168 (artem-sidorenko)
- Project data for changelog generator #164 (artem-sidorenko)
- Improve the docs on the attribute overriding #156 (artem-sidorenko)
- Tests for GH-131 and GH-132 #155 (artem-sidorenko)
- Update attribute documentation in README #154 (artem-sidorenko)
- Fix the broken master #153 (artem-sidorenko)
- Fixing the broken links in docs #152 (artem-sidorenko)
- Some tests for attributes of last merged PRs #151 (artem-sidorenko)
- Get rid of chefspec/fauxhai warnings in the unit tests #149 (artem-sidorenko)
- Bugfix: sshd listens on IPv6 interface if enabled #148 (artem-sidorenko)
- Update and cleanup of Gemfile #147 (artem-sidorenko)
- Cleanup of some unmaintained docs/files #146 (artem-sidorenko)
- Removal of deprecated attributes #145 (artem-sidorenko)
- Removal of deprecated authorized_keys handling #143 (artem-sidorenko)
- Refactoring of library to simplify the kex/cipher handling #134 (artem-sidorenko)
v1.3.0 (2016-11-23)
Implemented enhancements:
- Support for OpenSuse Leap, new enterprise distro of SUSE #128 (artem-sidorenko)
- Avoid duplicate resource names because of warnings #127 (artem-sidorenko)
Closed issues:
- Allow to configure ChallengeResponseAuthentication (currently it's hardcoded to no) #125
- Make LoginGraceTime configurable #116
- Allow to configure MaxAuthTries #100
Merged pull requests:
- Fixing metadata as supermarket API expects a float #139 (artem-sidorenko)
- Distro information for supermarket #138 (artem-sidorenko)
- Allow login grace time to be configurable #132 (artem-sidorenko)
- Allow to configure ChallengeResponseAuthentication #131 (artem-sidorenko)
- Configurable SSH Banner File #130 (sidxz)
- Update kitchen vagrant configuration #129 (artem-sidorenko)
- Parameterise Banner and DebianBanner as attributes #126 (tsenart)
- Update Rubocop, Foodcritic, and Chefspec coverage #124 (shortdudey123)
v1.2.1 (2016-09-25)
Implemented enhancements:
- add suse and opensuse support #122 (chris-rock)
- activate fedora integration tests in travis #120 (chris-rock)
Merged pull requests:
- Fix deprecation warnings #123 (operatingops)
- Use bracket syntax in attributes/default.rb #121 (aried3r)
- Use new ciphers, kex, macs and priv separation sandbox for redhat family 7 #119 (atomic111)
- change hardening-io to dev-sec domain for build status and code coverage #118 (atomic111)
v1.2.0 (2016-05-29)
Implemented enhancements:
- add changelog generator #104 (chris-rock)
Closed issues:
- SFTP not configurable #110
- default to 'UseRoaming no' #109
- Consider using blank config_disclaimer by default #94
Merged pull requests:
- Document MaxAuthTries and MaxSessions added in 66e7ebfd #115 (bazbremner)
- Use new InSpec integration tests #114 (atomic111)
- Add conditional to cover systemd in Ubuntu 15.04+ #112 (elijah)
- Feature/sftp #111 (jmara)
- Disable experimental client roaming #108 (ascendantlogic)
- Made MaxAuthTries and MaxSessions configurable #107 (runningman84)
- added inspec support (kitchen.yml and Gemfile) #106 (atomic111)
- Apply PasswordAuthentication attribute to SSH #105 (SteveLowe)
- Configurable PasswordAuthentication #102 (sumitgoelpw)
- x11 forwarding should be configurable like tcp and agent forwarding #99 (patcon)
- Correct recipe names in the README #98 (michaelklishin)
- update common kitchen.yml platforms #97 (chris-rock)
- fixes #94 #95 (chris-rock)
- remove old slack notification #92 (chris-rock)
- update common Gemfile for chef11+12 #91 (arlimus)
- common files: centos7 + rubocop #90 (arlimus)
- improve metadata description #88 (chris-rock)
v1.1.0 (2015-04-28)
Closed issues:
- Use new "UseDNS" openssh default #81
- UseDNS no #79
- Debian 8.0 (Jessie) ships with OpenSSH 6.7p1, enable modern algos #77
- Allow management of allow/deny users #75
- update tutorial.md #55
Merged pull requests:
- add Debian 8 to local test-kitchen #84 (chris-rock)
- Modern alogs for Jessie #83 (Rockstar04)
- Update README and use OpenSSH defaults for UseDNS #82 (aried3r)
- Make UseDNS configurable #80 (aried3r)
- update common readme badges #78 (arlimus)
- Allow deny users to be managed from attributes #76 (Rockstar04)
- fix typo in opensshdconf.erb, remove trailing whitespace #74 (zachallett)
- bugfix: adjust travis to work with chef12/ruby2 #73 (arlimus)
- add privilege separation via sandbox mode for ssh >= 5.9 #72 (arlimus)
- Adding attributes to enable printing the MOTD. #71 (dmerrick)
v1.0.3 (2015-01-14)
Closed issues:
- Suggestion: Don't populate /root/.ssh/authorized_keys by default #69
- prefer etm MACs #66
- disable sha1-based key exchanges #64
Merged pull requests:
v1.0.2 (2015-01-12)
Closed issues:
- release on supermarket #62
- host_key_files should not include ssh_host_ecdsa_key on every host #61
- Protocol 1 options while SSH 2 is hard coded #57
- Configuration of root keys via databag and attributes #37
- Bad ciphers on debian 7.0 #25
- update ssh service on changes #24
Merged pull requests:
- add back GCM cipher #67 (arlimus)
- updating common files #63 (arlimus)
- update to rubocop 0.27, exclude Berksfile #60 (bkw)
- updating common files #59 (arlimus)
- remove options that only apply to SSH protocol version 1 #58 (arlimus)
- bring back support for chef-solo #56 (bkw)
- add coverage dir to gitignore, add chefignore #54 (bkw)
- Deprecate managing authorized_keys for root via data bag #52 (bkw)
- Add slack notifications #51 (bkw)
- make users data bag optional #50 (bkw)
- allow cbc, hmac and kex to be configured individually for client and server. #49 (bkw)
- supply proper links for the badges #48 (bkw)
- update travis builds to ruby 2.1.3 #47 (bkw)
- add gymnasium badge for dependencies #46 (bkw)
- update to chefspec 4.1.1 #45 (bkw)
- Add badges #44 (bkw)
- Add chef spec #43 (bkw)
- Update rubocop #42 (bkw)
- fix filenames in comments #41 (bkw)
- updating common files #40 (arlimus)
- Chef Spec Tests #39 (chris-rock)
- improvement: switch to site location in berkshelf #38 (chris-rock)
- Lint #36 (chris-rock)
- minor change to make md table in COMPLIANCE.md work #35 (jklare)
- added info on crypto to readme #34 (arlimus)
- improvement: added faq on locked accounts to readme #33 (arlimus)
- updated kitchen images to current batch (mysql-equivalent) #32 (arlimus)
- add recipe to unlock user accounts #31 (arlimus)
- add pam option to readme #30 (chris-rock)
- fixes #24 #29 (chris-rock)
- fix end keyword #28 (arlimus)
- Debian6fix #27 (arlimus)
- update kitchen tests for vagrant #26 (arlimus)
- update rubocop, add default rake task. fix errors with default task #23 (ehaselwanter)
- update with common run_all_linters task #22 (ehaselwanter)
- adapt to new tests #21 (chris-rock)
- add openstack kitchen gem #20 (chris-rock)
- rename package name attribute from ssl* to ssh* #19 (bkw)
- passwordless users not able to log in #18 (bkw)
- add utf8 header and use ruby 1.9 hash syntax #17 (chris-rock)
- add Berksfile.lock Gemfile.lock to ignore list and remove it from tree #15 (ehaselwanter)
- Typo in username of ssh connection #14 (sirkkalap)
- streamline .rubocop config #13 (ehaselwanter)
- use the role from the integration test suite, not distinct recipes #12 (ehaselwanter)
- fix rubocop violations #11 (ehaselwanter)
- fix foodcritic violations #10 (ehaselwanter)
- made TCP and Agent Forwarding configurable #9 (atomic111)
- be more forgiving and relax rubocop #8 (ehaselwanter)
- add lint and spec infrastructure #7 (ehaselwanter)
- integrate sharedtests #6 (ehaselwanter)
- remove aes-gcm algos from Ciphers, because of http://www.openssh.com/txt/gcmrekey.adv #5 (atomic111)
- fix really old copy-n-paste error in readme #4 (arlimus)
- Contributing guide #3 (arlimus)
- added all kitchen test for ssh_config + sshd_config and added TUTORIAL.md #2 (atomic111)
- add license and improve styling #1 (chris-rock)
* This Change Log was automatically generated by github_changelog_generator
Collaborator Number Metric
2.8.0 passed this metric
Contributing File Metric
2.8.0 passed this metric
Foodcritic Metric
2.8.0 passed this metric
No Binaries Metric
2.8.0 passed this metric
Testing File Metric
2.8.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
2.8.0 passed this metric
2.8.0 passed this metric
2.8.0 passed this metric
Foodcritic Metric
2.8.0 passed this metric
No Binaries Metric
2.8.0 passed this metric
Testing File Metric
2.8.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
2.8.0 passed this metric
2.8.0 passed this metric
2.8.0 passed this metric
Testing File Metric
2.8.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
2.8.0 passed this metric
2.8.0 failed this metric
2.8.0 passed this metric