New cookbook: fb_ssh

This is a cookbook to manage SSH using the FB attribute-driven model. It handles daemon and client configs as well as authorized_keys and authorized_principals. There are few things worth noting here: 1. The API for public keys uses a `data_bag`. Grocery delivery and taste-tester have long supported data_bags even though FB doesn't use them in prod... but it doesn't matter since FB uses principals in prod and not keys, so this shouldn't be an issue no matter what. 2. The CLA for FB includes a grant of all copyrights, but the copyright, AIUI still should say me, so it does. However, I've left the maintainer as the standard FB template.
facebook · Sep 27, 2019 · 620db69 · 620db69
1 parent 9a25021
commit 620db69
Show file tree

Hide file tree

Showing 9 changed files with 458 additions and 0 deletions.
diff --git a/cookbooks/fb_ssh/README.md b/cookbooks/fb_ssh/README.md
@@ -0,0 +1,154 @@
+fb_ssh Cookbook
+===============
+Installs and configures openssh
+
+Requirements
+------------
+
+Attributes
+----------
+* node['fb_ssh']['manage_packages']
+* node['fb_ssh']['sshd_config'][$CONFIG]
+* node['fb_ssh']['ssh_config'][$CONFIG]
+* node['fb_ssh']['enable_central_authorized_keys']
+* node['fb_ssh']['authorized_keys_users']
+* node['fb_ssh']['enable_central_authorized_principals']
+* node['fb_ssh']['authorized_principals'][$USER][$KEYNAME]
+* node['fb_ssh']['authorized_principals_users']
+
+Usage
+-----
+### Packages
+By default `fb_ssh` will install and keep updated both client and server
+packages for ssh.
+
+You can skip package management if you have local packages or otherwise need to
+do your own management by setting `manage_packages` to false.
+
+### Server configuration (sshd_config)
+The `sshd_config` hash holds configs that go into `/etc/ssh/sshd_config`. In
+general each key can have one of three types, bool, string/ints, or array.
+
+Bools are translated into `yes`/`no` when emitted into the config file. These
+are straight-forward:
+
+```
+node.default['fb_ssh']['sshd_config']['PubkeyAuthentication'] = true
+```
+
+Becomes:
+```
+PubkeyAuthentication yes
+```
+
+Strings and ints are always treated like normal strings:
+
+```
+node.default['fb_ssh']['sshd_config']['ClientAliveInterval'] = 0
+node.default['fb_ssh']['sshd_config']['ForceCommand'] = '/bin/false'
+```
+
+Becomes:
+```
+ClientAliveInterval 0
+ForceCommand /bin/false
+```
+
+Arrays will be joined by spaces. It's worth noting that while this feature is
+here to make management easy, one could clearly take a multi-value value key
+and make it a string and it would work, but we support arrays to make modifying
+the value later in the runlist easier. For example:
+
+```
+node.default['fb_ssh']['sshd_config']['AuthorizedKeysFile'] = [
+  '.ssh/authorized_keys',
+  '.ssh/authorized_keys2',
+]
+```
+
+Means later it's easy for someone to do:
+
+```
+node.default['fb_ssh']['sshd_config']['AuthorizedKeysFile'].
+  delete('.ssh/authorized_keys2')
+```
+
+or:
+```
+node.default['fb_ssh']['sshd_config']['AuthorizedKeysFile'] <<
+  '/etc/ssh/authorized_keys/%u'
+```
+
+So be careful to be consistent about this.
+
+### Match Values
+All match rules in sshd must come at the end, because Match blocks take effect
+until the next match block, or the end of the file - indentation is irrelevant.
+
+You can use Match rules as normal. This cookbook will automatically move them
+to the end of the file and keep them in the order that the users specified
+them.
+
+This means that unlike the other keys which are sorted for easier diffing,
+these are not sorted. As such, changing the order of your cookbooks could
+change the order of your match statements, so be careful.
+
+Match statements are the exception to the datatype rule above - their value is
+a hash, and that hash is treated the same as the top-level sshd_config hash:
+
+```
+node.default['fb_ssh']['sshd_config']['Match Address 1.2.3.4'] => {
+  'PasswordAuthentication' => true,
+}
+```
+
+#### Authorized Principals
+
+If you set `enable_central_authorized_principals` to true, then two things will
+happen:
+1. Your AuthorizedPrincipalsFile will be set to `/etc/ssh/authorized_princs/%u`,
+   regardless of what you set it to
+2. The contents of `node['fb_ssh']['authorized_principals']` will be used
+   to populate `/etc/ssh/authorized_princs/` with one file for each
+   user. To limit which users are populated, simply populate the list
+   `node['fb_ssh']['authorized_principals_users']`. The format of the
+   `authorized_principals` attribute is:
+
+```
+node.default['fb_ssh']['authorized_principals'][$USER] = ['one', 'two']
+```
+
+#### Authorized Keys
+
+These work similarly to Authorized Principals. If you set
+`enable_central_authorized_keys` to true, then two things will happen:
+1. Your AuthorizedKeysFile will be set to `/etc/ssh/authorized_keys/%u`,
+   regardless of what you set it to
+2. The contents of the databag `fb_ssh_authorized_keys`
+   will be used to populate `/etc/ssh/authorized_keys/` with key files for each
+   user. To limit which keys go on a user, simply populate the list
+   `node['fb_ssh']['authorized_keys_users']`. The format of the items
+   in databag is:
+
+```
+{
+  'id': $USER,
+  'keyname1': $KEY1,
+  'keyname2': $KEY2,
+  ...
+}
+```
+
+There should be one item for each user, as many keys as you'd like may
+be in that item.
+
+### Client config (ssh_config)
+The client config works the same as the server config, except the special-case
+is `Host` keys instead of `Match` keys. As an example:
+
+```
+node.default['fb_ssh']['ssh_config']['ForwardAgent'] = true
+node.default['fb_ssh']['ssh_config']['Host *.cool.com'] = {
+  'ForwardX11' => true,
+}
+```
diff --git a/cookbooks/fb_ssh/attributes/default.rb b/cookbooks/fb_ssh/attributes/default.rb
@@ -0,0 +1,39 @@
+#
+# Copyright (c) 2019-present, Vicarious, Inc.
+# All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+sftp_path = value_for_platform_family(
+  ['rhel', 'fedora'] => '/usr/libexec/openssh/sftp-server',
+  ['debian'] => '/usr/lib/openssh/sftp-server',
+)
+default['fb_ssh'] = {
+  'enable_central_authorized_keys' => false,
+  'manage_packages' => true,
+  'sshd_config' => {
+    'PermitRootLogin' => false,
+    'UsePAM' => true,
+    'Subsystem ftp' => sftp_path,
+    'AuthorizedKeysFile' => [
+      '.ssh/authorized_keys',
+      '.ssh/authorized_keys2',
+    ],
+  },
+  'authorized_keys' => {},
+  'authorized_keys_users' => [],
+  'authorized_principals' => {},
+  'authorized_principals_users' => [],
+  'ssh_config' => {},
+}
diff --git a/cookbooks/fb_ssh/libraries/default.rb b/cookbooks/fb_ssh/libraries/default.rb
@@ -0,0 +1,25 @@
+#
+# Copyright (c) 2019-present, Vicarious, Inc.
+# All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module FB
+  class SSH
+    DESTDIR = {
+      'keys' => '/etc/ssh/authorized_keys',
+      'principals' => '/etc/ssh/authorized_princs',
+    }.freeze
+  end
+end
diff --git a/cookbooks/fb_ssh/metadata.rb b/cookbooks/fb_ssh/metadata.rb
@@ -0,0 +1,29 @@
+#
+# Copyright (c) 2019-present, Vicarious, Inc.
+# All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'fb_ssh'
+maintainer 'Facebook'
+maintainer_email 'noreply@facebook.com'
+license 'Apache-2.0'
+description 'Configures ssh and sshd including keys and principals'
+source_url 'https://github.com/facebook/chef-cookbooks/'
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+# never EVER change this number, ever.
+version '0.1.0'
+supports 'centos'
+supports 'debian'
+supports 'ubuntu'
diff --git a/cookbooks/fb_ssh/recipes/default.rb b/cookbooks/fb_ssh/recipes/default.rb
@@ -0,0 +1,92 @@
+#
+# Cookbook:: fb_ssh
+# Recipe:: default
+#
+# Copyright (c) 2019-present, Vicarious, Inc.
+# All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+client_pkg = value_for_platform_family(
+  ['rhel', 'fedora'] => 'openssh-clients',
+  ['debian'] => 'openssh-client',
+)
+
+svc = value_for_platform_family(
+  ['rhel', 'fedora'] => 'sshd',
+  ['debian'] => 'ssh',
+)
+
+package client_pkg do
+  only_if { node['fb_ssh']['manage_packages'] }
+  action :upgrade
+end
+
+package 'openssh-server' do
+  action :upgrade
+  notifies :restart, 'service[ssh]'
+end
+
+whyrun_safe_ruby_block 'handle late binding ssh configs' do
+  block do
+    %w{keys principals}.each do |type|
+      enable_name = "enable_central_authorized_#{type}"
+      if node['fb_ssh'][enable_name]
+        cfgname = "Authorized#{type.capitalize}File"
+        if node['fb_ssh']['sshd_config'][cfgname]
+          Chef::Log.warn(
+            "fb_ssh: Overriding sshd '#{cfgname}' per '#{enable_name}'",
+          )
+        end
+        node.default['fb_ssh']['sshd_config'][cfgname] =
+          "#{FB::SSH::DESTDIR[type]}/%u"
+      end
+    end
+  end
+end
+
+template '/etc/ssh/sshd_config' do
+  source 'ssh_config.erb'
+  owner 'root'
+  group 'root'
+  mode '0644'
+  variables({ :type => 'sshd_config' })
+  notifies :restart, 'service[ssh]'
+end
+
+template '/etc/ssh/ssh_config' do
+  source 'ssh_config.erb'
+  owner 'root'
+  group 'root'
+  mode '0644'
+  variables({ :type => 'ssh_config' })
+end
+
+fb_ssh_authorization 'manage keys' do
+  only_if { node['fb_ssh']['enable_central_authorized_keys'] }
+  action :manage_keys
+end
+
+fb_ssh_authorization 'manage principals' do
+  only_if { node['fb_ssh']['enable_central_authorized_principals'] }
+  action :manage_principals
+end
+
+service 'ssh' do
+  # rather than "service svc", give it a consistent name
+  # in case others want to notify it, and then just override
+  # the service name internally to the resource
+  service_name svc
+  action [:enable, :start]
+end