sshd_config
Use the sshd_config
Chef InSpec audit resource to test configuration data for the OpenSSH daemon located at /etc/ssh/sshd_config
on Linux and Unix platforms. sshd—the OpenSSH daemon—listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges.
Availability
Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
Version
This resource first became available in v1.0.0 of InSpec.
Syntax
An sshd_config
resource block declares the client OpenSSH configuration data to be tested:
describe sshd_config('path') do
its('name') { should include('foo') }
end
where
name
is a configuration setting insshd_config
('path')
is the non-default/path/to/sshd_config
{ should include('foo') }
tests the value ofname
as read fromsshd_config
versus the value declared in the test
Examples
The following examples show how to use this Chef InSpec audit resource.
Test which variables may be sent to the server
describe sshd_config do
its('AcceptEnv') { should include('CI_ENABLE_COVERAGE') }
end
Test for IPv6-only addresses
describe sshd_config do
its('AddressFamily') { should cmp 'inet6' }
end
Test the Protocol setting
describe sshd_config do
its('Protocol') { should cmp 2 }
end
Test for approved, strong ciphers
describe sshd_config do
its('Ciphers') { should cmp('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
end
Test SSH protocols
describe sshd_config do
its('Port') { should cmp 22 }
its('UsePAM') { should eq 'yes' }
its('ListenAddress') { should eq nil }
its('HostKey') do
should eq [
'/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_dsa_key',
'/etc/ssh/ssh_host_ecdsa_key',
]
end
end
Matchers
For a full list of available matchers, please visit our matchers page.
name
The name
matcher tests the value of name
as read from sshd_config
versus the value declared in the test:
its('name') { should cmp 'foo' }
or:
its('name') {should include('bar') }