--- /dev/null
+ssh_utils CHANGELOG
+===================
+
+0.1.0
+-----
+- Initial release of ssh_utils
+
--- /dev/null
+ssh_utils Cookbook
+==================
+
+This cookbook sets up OpenSSH Server.
+
+Requirements
+------------
+
+#### packages
+- none.
+
+#### cookbooks
+- `ssl_cert` - to deploy SSH-CA public key.
+
+Attributes
+----------
+
+#### ssh_utils::default
+
+|Key|Type|Description, example|Default|
+|:--|:--|:--|:--|
+|`['ssh_utils']['with_ssl_cert_cookbook']`|Boolean|works with `ssl_cert` cookbook.|`false`|
+|`['ssh_utils']['ssl_cert']['ca_pubkey_name']`|String|deployed SSH-CA public key name.|`nil`|
+|`['ssh_utils']['sshd_config']['extra_props']['<property_name>']`|String of Array|properties for sshd_config.|empty|
+
+Usage
+-----
+#### ssh_utils::default
+- do nothing.
+
+#### ssh_utils::server
+- set up OpenSSH server.
+- If `node['ssh_utils']['with_ssl_cert_cookbook']` is true,
+`node['ssh_utils']['sshd_config']['extra_props']['TrustedUserCAKeys']` is overridden
+ by the file path based on `node['ssh_utils']['ssl_cert']['ca_pubkey_name']` attributes.
+
+License and Authors
+-------------------
+- Author:: whitestar at osdn.jp
+
+```text
+Copyright 2016, whitestar
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+```
+
--- /dev/null
+#
+# Cookbook Name:: ssh_utils
+# Attributes:: default
+#
+# Copyright 2016, whitestar
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+default['ssh_utils']['with_ssl_cert_cookbook'] = false
+# If node['ssh_utils']['with_ssl_cert_cookbook'] is true,
+# node['ssh_utils']['sshd_config']['extra_props']['TrustedUserCAKeys']
+# is overridden by the following 'ca_pubkey_name' attributes.
+default['ssh_utils']['ssl_cert']['ca_pubkey_name'] = nil
+
+# server
+default['ssh_utils']['sshd_config'] = {
+ 'extra_props' => {
+ # e.g.
+ #'Banner' => '/etc/issue.net',
+ #'TrustedUserCAKeys' => '/path/to/ca_public_keys.pub',
+ },
+}
+
--- /dev/null
+name 'ssh_utils'
+maintainer 'whitestar'
+maintainer_email ''
+license 'Apache 2.0'
+description 'Installs/Configures ssh_utils'
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+version '0.1.0'
+
+depends 'ssl_cert', '>= 0.2.0'
+
--- /dev/null
+#
+# Cookbook Name:: ssh_utils
+# Recipe:: default
+#
+# Copyright 2016, whitestar
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
--- /dev/null
+#
+# Cookbook Name:: ssh_utils
+# Recipe:: server
+#
+# Copyright 2016, whitestar
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+if node['ssh_utils']['with_ssl_cert_cookbook'] \
+ && !node['ssh_utils']['ssl_cert']['ca_pubkey_name'].nil? then
+ node.override['ssh_utils']['sshd_config']['extra_props']['TrustedUserCAKeys'] \
+ = node['ssl_cert']["#{node['ssh_utils']['ssl_cert']['ca_pubkey_name']}_pubkey_path"]
+end
+
+[
+ 'openssh-server',
+].each {|pkg|
+ resources(:package => pkg) rescue package pkg do
+ action :install
+ end
+}
+
+srv = 'sshd'
+conf_mode = '0600'
+
+case node[:platform_family]
+ when 'debian'
+ srv = 'ssh'
+ conf_mode = '0644'
+ when 'rhel'
+ srv = 'sshd'
+ conf_mode = '0600'
+end
+
+resources(:service => srv) rescue service srv do
+ action [:enable, :start]
+end
+
+template "/etc/ssh/sshd_config" do
+ source "etc/ssh/sshd_config"
+ owner 'root'
+ group 'root'
+ mode conf_mode
+ notifies :restart, "service[#{srv}]"
+end
+
--- /dev/null
+require_relative '../spec_helper'
+
+describe 'ssh_utils::default' do
+ subject { ChefSpec::Runner.new.converge(described_recipe) }
+
+ # Write quick specs using `it` blocks with implied subjects
+ it { should do_something('...') }
+
+ # Write full examples using the `expect` syntax
+ it 'does something' do
+ expect(subject).to do_something('...')
+ end
+
+ # Use an explicit subject
+ let(:chef_run) { ChefSpec::Runner.new.converge(described_recipe) }
+
+ it 'does something' do
+ expect(chef_run).to do_something('...')
+ end
+end
--- /dev/null
+# Added by ChefSpec
+require 'chefspec'
+
+# Uncomment to use ChefSpec's Berkshelf extension
+# require 'chefspec/berkshelf'
+
+RSpec.configure do |config|
+ # Specify the path for Chef Solo to find cookbooks
+ # config.cookbook_path = '/var/cookbooks'
+
+ # Specify the path for Chef Solo to find roles
+ # config.role_path = '/var/roles'
+
+ # Specify the Chef log_level (default: :warn)
+ # config.log_level = :debug
+
+ # Specify the path to a local JSON file with Ohai data
+ # config.path = 'ohai.json'
+
+ # Specify the operating platform to mock Ohai data from
+ # config.platform = 'ubuntu'
+
+ # Specify the operating version to mock Ohai data from
+ # config.version = '12.04'
+end
--- /dev/null
+# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options change a
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# Disable legacy (protocol version 1) support in the server for new
+# installations. In future the default will change to require explicit
+# activation of protocol 1
+Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+#AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+PasswordAuthentication yes
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+GSSAPIAuthentication yes
+#GSSAPICleanupCredentials yes
+GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+#UsePAM no
+UsePAM yes
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem sftp /usr/libexec/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# ForceCommand cvs server
+
+<%
+node['ssh_utils']['sshd_config']['extra_props'].each {|key, value|
+ if value.is_a?(String) then
+-%>
+<%= key %> <%= value %>
+<%
+ elsif value.is_a?(Array) then
+ value.each {|elm|
+-%>
+<%= key %> <%= elm %>
+<%
+ }
+ end
+}
+-%>
--- /dev/null
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin without-password
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+UsePAM yes
+
+<%
+node['ssh_utils']['sshd_config']['extra_props'].each {|key, value|
+ if value.is_a?(String) then
+-%>
+<%= key %> <%= value %>
+<%
+ elsif value.is_a?(Array) then
+ value.each {|elm|
+-%>
+<%= key %> <%= elm %>
+<%
+ }
+ end
+}
+-%>
--- /dev/null
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin without-password
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+UsePAM yes
+
+<%
+node['ssh_utils']['sshd_config']['extra_props'].each {|key, value|
+ if value.is_a?(String) then
+-%>
+<%= key %> <%= value %>
+<%
+ elsif value.is_a?(Array) then
+ value.each {|elm|
+-%>
+<%= key %> <%= elm %>
+<%
+ }
+ end
+}
+-%>
--- /dev/null
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin without-password
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+<%
+node['ssh_utils']['sshd_config']['extra_props'].each {|key, value|
+ if value.is_a?(String) then
+-%>
+<%= key %> <%= value %>
+<%
+ elsif value.is_a?(Array) then
+ value.each {|elm|
+-%>
+<%= key %> <%= elm %>
+<%
+ }
+ end
+}
+-%>
ssl_cert CHANGELOG
==================
+0.2.0
+-----
+- add `ca_pubkeys` recipe for SSH-CA, ...
+
0.1.5
-----
-- add ['ssl_cert']['rhel']['key_access_group'] attribute.
+- add `['ssl_cert']['rhel']['key_access_group']` attribute.
0.1.4
-----
0.1.3
-----
-- add {ca_cert,server_key,server_cert}_file_prefix attributes.
+- add `{ca_cert,server_key,server_cert}_file_prefix` attributes.
0.1.2
-----
------------
#### packages
-- nothing.
+- none.
Attributes
----------
|Key|Type|Description, example|Default|
|:--|:--|:--|:--|
|`['ssl_cert']['ca_names']`|Array|deployed CA certificates from chef-vault|empty|
+|`['ssl_cert']['ca_pubkey_names']`|Array|deployed CA public keys from chef-vault (0.2.0 or later)|empty|
|`['ssl_cert']['common_names']`|Array|deployed server keys and/or certificates from chef-vault|empty|
|`['ssl_cert']['rhel']['key_access_group']`|String|RHEL family's key access group (ver. 0.1.5 or later)|`'ssl-cert'`|
|`['ssl_cert']['chef_gem']['clear_sources']`|Boolean|chef_gem resource's clear_sources property.|`false`|
|`['ssl_cert']['ca_cert_vault']`|String|CA certificate stored vault name.|`'ca_certs'`|
|`['ssl_cert']['ca_cert_vault_item_key']`|String|CA certificate stored vault item key name. (single key or nested hash key path delimited by slash)|`'public'`|
|`['ssl_cert']['ca_cert_file_prefix']`|String|CA certificate file name's prefix.|`''`|
+|`['ssl_cert']['ca_pubkey_vault']`|String|CA public key stored vault name. (0.2.0 or later)|`'ca_pubkeys'`|
+|`['ssl_cert']['ca_pubkey_vault_item_key']`|String|CA public key stored vault item key name. (single key or nested hash key path delimited by slash. 0.2.0 or later)|`'public'`|
+|`['ssl_cert']['ca_pubkey_file_prefix']`|String|CA public key file name's prefix. (0.2.0 or later)|`''`|
|`['ssl_cert']['server_key_vault']`|String|SSL server key stored vault name.|`'ssl_server_keys'`|
|`['ssl_cert']['server_key_vault_item_key']`|String|SSL server key stored vault item key name. (single key or nested hash key path delimited by slash)|`'private'`|
|`['ssl_cert']['server_key_file_prefix']`|String|SSL server key file name's prefix.|`''`|
|`['ssl_cert']['server_cert_vault_item_key']`|String|SSL server certificate stored vault item key name. (single key or nested hash key path delimited by slash)|`'public'`|
|`['ssl_cert']['server_cert_file_prefix']`|String|SSL server certificate file name's prefix.|`''`|
|`['ssl_cert']["#{ca}_cert_path"]`|String|deployed CA certificate file path.|`"#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_cert_file_prefix']}#{ca}.crt"`|
+|`['ssl_cert']["#{ca}_pubkey_path"]`|String|deployed CA public key file path. (0.2.0 or later)|`"#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_pubkey_file_prefix']}#{ca}.pub"`|
|`['ssl_cert']["#{undotted_cn}_key_path"]`|String|deployed SSL server key file path.|`"#{node['ssl_cert']['private_dir']}/#{node['ssl_cert']['server_key_file_prefix']}#{undotted_cn}.key"`|
|`['ssl_cert']["#{undotted_cn}_cert_path"]`|String|deployed SSL server certificate file path.|`"#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['server_cert_file_prefix']}#{undotted_cn}.crt"`|
### recipes
- `ssl_cert::default` - deploys CA certificates, SSL server keys and/or certificates.
- `ssl_cert::ca_certs` - deploys CA certificates.
+- `ssl_cert::ca_pubkeys` - deploys CA public keys for SSH-CA, ... (0.2.0 or later)
- `ssl_cert::server_key_pairs` - deploys SSL server keys and certificates.
- `ssl_cert::server_keys` - deploys SSL server keys.
- `ssl_cert::server_certs` - deploys SSL server certificates.
)
```
+#### CA public keys (0.2.0 or later)
+
+- create vault items.
+
+```text
+$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("grid_ssh_ca.prod.pub")})' \
+> > ~/tmp/grid_ssh_ca.prod.pub.json
+
+$ knife vault create ca_pubkeys grid_ssh_ca.prod \
+> --json ~/tmp/grid_ssh_ca.prod.pub.json
+```
+
+- add cookbook attributes.
+
+```ruby
+override_attributes(
+ 'ssl_cert' => {
+ 'ca_pubkey_names' => [
+ 'grid_ssh_ca',
+ # ...
+ ],
+ },
+)
+```
+
#### SSL server keys and certificates
- create vault items.
### References of deployed key and certificate file paths (with default attributes)
- `node['ssl_cert']["#{ca}_cert_path"]` - e.g. `node['ssl_cert']['grid_ca_cert_path']`
+- `node['ssl_cert']["#{ca}_pubkey_path"]` - e.g. `node['ssl_cert']['grid_ssh_ca_pubkey_path']`
- `node['ssl_cert']["#{undotted_cn}_key_path"]` - e.g. `node['ssl_cert']['node_example_com_key_path']`
- `node['ssl_cert']["#{undotted_cn}_cert_path"]` - e.g. `node['ssl_cert']['node_example_com_cert_path']`
#'grid_ca',
]
+# deployed CA public keys from chef-vault
+# for SSH-CA, ...
+default['ssl_cert']['ca_pubkey_names'] = [
+ #'grid_ssh_ca',
+]
+
# deployed server keys and/or certificates from chef-vault
default['ssl_cert']['common_names'] = [
#'ldap.grid.example.com',
> --json ~/tmp/grid_ca.prod.crt.json
=end
+default['ssl_cert']['ca_pubkey_vault'] = 'ca_pubkeys'
+default['ssl_cert']['ca_pubkey_vault_item_key'] = 'public'
+default['ssl_cert']['ca_pubkey_file_prefix'] = ''
+=begin
+ CA public key vault item name is
+ each CA name + ".#{node['ssl_cert']['vault_item_suffix']}".
+ valut item key is 'public'.
+
+ * vault item management
+
+ $ ruby -rjson -e 'puts JSON.generate({"public" => File.read("grid_ssh_ca.prod.pub")})' \
+ > > ~/tmp/grid_ssh_ca.prod.pub.json
+ $ knife vault create ca_pubkeys grid_ssh_ca.prod \
+ > --json ~/tmp/grid_ssh_ca.prod.pub.json
+=end
+
default['ssl_cert']['server_key_vault'] = 'ssl_server_keys'
default['ssl_cert']['server_key_vault_item_key'] = 'private'
default['ssl_cert']['server_key_file_prefix'] = ''
= "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_cert_file_prefix']}#{ca}.crt"
}
+node['ssl_cert']['ca_pubkey_names'].each {|ca|
+ default['ssl_cert']["#{ca}_pubkey_path"] \
+ = "#{node['ssl_cert']['certs_dir']}/#{node['ssl_cert']['ca_pubkey_file_prefix']}#{ca}.pub"
+}
+
undotted_cns.each {|cn|
default['ssl_cert']["#{cn}_key_path"] \
= "#{node['ssl_cert']['private_dir']}/#{node['ssl_cert']['server_key_file_prefix']}#{cn}.key"
end
+ def ca_public_key(ca)
+ undotted_ca = ca.gsub('.', '_')
+
+ chef_gem_chef_vault
+ require 'chef-vault'
+ pubkey = ChefVault::Item.load(
+ node['ssl_cert']['ca_pubkey_vault'], "#{ca}#{vault_item_suffix}")
+ node['ssl_cert']['ca_pubkey_vault_item_key'].split('/').each {|elm|
+ pubkey = pubkey[elm]
+ }
+
+ pubkey_path = node['ssl_cert']["#{undotted_ca}_pubkey_path"]
+ resources(:file => pubkey_path) rescue file pubkey_path do
+ content pubkey
+ owner 'root'
+ group 'root'
+ mode 0644
+ end
+ end
+
+
def server_certificate(cn)
undotted_cn = cn.gsub('.', '_')
license 'Apache 2.0'
description 'Installs/Configures ssl_cert'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version '0.1.5'
+version '0.2.0'
--- /dev/null
+#
+# Cookbook Name:: ssl_cert
+# Recipe:: ca_pubkeys
+#
+# Copyright 2016, whitestar
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+::Chef::Recipe.send(:include, SSLCert::Helper)
+
+node['ssl_cert']['ca_pubkey_names'].each {|ca|
+ ca_public_key(ca)
+}
+