W3cubDocs

/Chef 18

sshd_config resource

[edit on GitHub]

Use the sshd_config Chef InSpec audit resource to test configuration data for the OpenSSH daemon located at /etc/ssh/sshd_config on Linux and Unix platforms. sshd—the OpenSSH daemon—listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges.

Availability

Installation

This resource is distributed along with Chef InSpec itself. You can use it automatically.

Version

This resource first became available in v1.0.0 of InSpec.

Syntax

An sshd_config resource block declares the OpenSSH daemon configuration data to be tested:

describe sshd_config('path') do
  its('name') { should include('foo') }
end

where

  • name is a configuration setting in sshd_config
  • ('path') is the non-default /path/to/sshd_config
  • { should include('foo') } tests the value of name as read from sshd_config versus the value declared in the test

Examples

The following examples show how to use this Chef InSpec audit resource.

Test which variables may be sent to the server

describe sshd_config do
  its('AcceptEnv') { should include('CI_ENABLE_COVERAGE') }
end

Test for IPv6-only addresses

describe sshd_config do
  its('AddressFamily') { should cmp 'inet6' }
end

Test the Protocol setting

describe sshd_config do
  its('Protocol') { should cmp 2 }
end

Test for approved, strong ciphers

describe sshd_config do
  its('Ciphers') { should cmp('[email protected],aes256-ctr,aes192-ctr,aes128-ctr') }
end

Test SSH protocols

describe sshd_config do
  its('Port') { should cmp  22 }
  its('UsePAM') { should eq 'yes' }
  its('ListenAddress') { should eq nil }
  its('HostKey') do
    should eq [
      '/etc/ssh/ssh_host_rsa_key',
      '/etc/ssh/ssh_host_dsa_key',
      '/etc/ssh/ssh_host_ecdsa_key',
    ]
  end
end

Matchers

For a full list of available matchers, please visit our matchers page.

name

The name matcher tests the value of name as read from sshd_config versus the value declared in the test:

its('name') { should cmp 'foo' }

or:

its('name') {should include('bar') }

© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/inspec/resources/sshd_config/