{"id":13781170,"url":"https://github.com/sous-chefs/openssh","last_synced_at":"2025-12-18T09:28:11.189Z","repository":{"id":2725731,"uuid":"3720642","full_name":"sous-chefs/openssh","owner":"sous-chefs","description":"Development repository for the openssh cookbook","archived":false,"fork":false,"pushed_at":"2024-03-18T09:13:23.000Z","size":422,"stargazers_count":114,"open_issues_count":6,"forks_count":160,"subscribers_count":50,"default_branch":"main","last_synced_at":"2024-04-14T11:03:41.886Z","etag":null,"topics":["chef","chef-cookbook","chef-resource","hacktoberfest","managed-by-terraform","openssh"],"latest_commit_sha":null,"homepage":"https://supermarket.chef.io/cookbooks/openssh","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sous-chefs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null},"funding":{"open_collective":"sous-chefs"}},"created_at":"2012-03-14T18:17:44.000Z","updated_at":"2024-05-03T16:00:45.404Z","dependencies_parsed_at":"2023-07-06T08:18:29.586Z","dependency_job_id":"a4e1bf5a-7d03-481b-acb9-12de3a38ac43","html_url":"https://github.com/sous-chefs/openssh","commit_stats":{"total_commits":513,"total_committers":73,"mean_commits":7.027397260273973,"dds":0.760233918128655,"last_synced_commit":"2d763f87f292bca6be0a581d850b44de8ed3e8c1"},"previous_names":[],"tags_count":67,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sous-chefs%2Fopenssh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sous-chefs%2Fopenssh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sous-chefs%2Fopenssh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sous-chefs%2Fopenssh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sous-chefs","download_url":"https://codeload.github.com/sous-chefs/openssh/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247352561,"owners_count":20925290,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["chef","chef-cookbook","chef-resource","hacktoberfest","managed-by-terraform","openssh"],"created_at":"2024-08-03T18:01:23.588Z","updated_at":"2025-12-18T09:28:06.151Z","avatar_url":"https://github.com/sous-chefs.png","language":"Ruby","funding_links":["https://opencollective.com/sous-chefs"],"categories":["Cookbooks"],"sub_categories":["Network/Security"],"readme":"# openssh Cookbook\n\n[![Cookbook Version](https://img.shields.io/cookbook/v/openssh.svg)](https://supermarket.chef.io/cookbooks/openssh)\n[![CI State](https://github.com/sous-chefs/openssh/workflows/ci/badge.svg)](https://github.com/sous-chefs/openssh/actions?query=workflow%3Aci)\n[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers)\n[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors)\n[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)\n\nInstalls and configures OpenSSH client and daemon.\n\n## Maintainers\n\nThis cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit [sous-chefs.org](https://sous-chefs.org/) or come chat with us on the Chef Community Slack in [#sous-chefs](https://chefcommunity.slack.com/messages/C2V7B88SF).\n\n## Requirements\n\n### Platforms\n\n- Debian/Ubuntu\n- RHEL/CentOS/Scientific/Oracle\n- Fedora\n- FreeBSD\n- Suse Enterprise Linux\n- openSUSE / openSUSE leap\n- AIX 7.1\n- Windows\n\n### Chef\n\n- Chef 12.1+\n\n### Cookbooks\n\n- iptables\n\n## Recipes\n\n### default\n\nInstalls openssh packages, manages the sshd config file, configure trusted ca keys, configure revoked keys, and starts/enables the sshd service.\n\n### iptables\n\nCreates an iptables firewall rule to allow inbound SSH connections.\n\n## Usage\n\nApply the default recipe to the node's run_list to ensure that the openssh packages are installed, sshd is configured, and the service is started and enabled\n\n## Attributes List\n\nThe attributes list is dynamically generated, and lines up with the default openssh configs.\n\nThis means anything located in [sshd_config](http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config\u0026sektion=5) or [ssh_config](http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config\u0026sektion=5) can be used in your node attributes.\n\n- If the option can be entered more then once, use an _Array_, otherwise, use a _String_. If the option is host-specific use a `Hash` (please see below for more details).\n- Each attribute is stored as ruby case, and converted to camel case for the config file on the fly.\n- The current default attributes match the stock `ssh_config` and `sshd_config` provided by openssh.\n- The namespace for `sshd_config` is `node['openssh']['server']`.\n- Likewise, the namespace for `ssh_config` is `node['openssh']['client']`.\n- An attribute can be an `Array`, a `Hash` or a `String`.\n- If it is an `Array`, each item in the array will get it's own line in the config file.\n- `Hash` attributes are meant to used with `ssh_config` namespace to create host-specific configurations. The keys of the `Hash` will be used as the `Host` entries and their associated entries as the configuration values.\n- All the values in openssh are commented out in the `attributes/default.rb` file for a base starting point.\n- There is one special attribute name, which is `match`. This is not included in the default template like the others. `node['openssh']['server']['match']` must be a Hash, where the key is the match pattern criteria and the value should be a Hash of normal keywords and values. The same transformations listed above apply to these keywords. To get improved sorting of match items, you can prefix the key with a number.  See examples below.\n\n## Dynamic ListenAddress\n\nPass in a `Hash` of interface names, and IP address type(s) to bind sshd to. This will expand to a list of IP addresses which override the default `node['openssh']['server']['listen_address']` value.\n\n## Examples and Common usage\n\nThese can be mixed and matched in roles and attributes.  Please note, it is possible to get sshd into a state that it will not run.  If this is the case, you will need to login via an alternate method and debug sshd like normal.\n\n### No Password logins\n\nThis requires use of identity files to connect\n\n```json\n\"openssh\": {\n  \"server\": {\n    \"password_authentication\": \"no\"\n  }\n}\n```\n\n### Change sshd Port\n\n```json\n\"openssh\": {\n  \"server\": {\n    \"port\": \"14188\"\n  }\n}\n```\n\n### Match\n\n```json\n\"openssh\": {\n  \"server\": {\n    \"match\": {\n      \"Address 192.168.1.0/24\": {\n        \"password_authentication\": \"yes\"\n      },\n      \"Group admins\": {\n        \"permit_tunnel\": \"yes\",\n        \"max_sessions\": \"20\"\n      }\n    }\n  }\n}\n```\n\n### Match with sorting\n\n```json\n\"openssh\": {\n  \"server\": {\n    \"match\": {\n      \"0 User foobar\": {\n        \"force_command\": \"internal-sftp -d /home/%u -l VERBOSE\"\n      },\n      \"Group admins\": {\n        \"force_command\": \"internal-sftp -d /home/admins -l VERBOSE\"\n      }\n    }\n  }\n}\n```\n\n### Enable X Forwarding\n\n```json\n\"openssh\": {\n  \"server\": {\n    \"x11_forwarding\": \"yes\"\n  }\n}\n```\n\n### Bind to a specific set of address (this example actually binds to all)\n\nNot to be used with `node['openssh']['listen_interfaces']`.\n\n```json\n\"openssh\": {\n  \"server\": {\n    \"address_family\": \"any\",\n      \"listen_address\": [ \"192.168.0.1\", \"::\" ]\n    }\n  }\n}\n```\n\n### Bind to the addresses tied to a set of interfaces\n\n```json\n\"openssh\": {\n  \"listen_interfaces\": {\n    \"eth0\": \"inet\",\n    \"eth1\": \"inet6\"\n  }\n}\n```\n\n### Configure Trusted User CA Keys\n\n```json\n\"openssh\": {\n  \"ca_keys\": [\n    \"ssh-rsa key... ca_id_1\",\n    \"ssh-rsa key... ca_id_2\"\n  ]\n}\n```\n\n### Configure Revoked Keys\n\n```json\n\"openssh\": {\n  \"server\": {\n    \"revoked_keys\": [\n      \"ssh-rsa key... user_key_1\",\n      \"ssh-rsa key... user_key_2\"\n    ]\n  }\n}\n```\n\n### Host-specific configurations with hashes\n\nYou can use a `Hash` with `node['openssh']['client']` to configure different values for different hosts.\n\n```json\n\"client\": {\n  \"*\": {\n    \"g_s_s_a_p_i_authentication\": \"yes\",\n    \"send_env\": \"LANG LC_*\",\n    \"hash_known_hosts\": \"yes\"\n  },\n  \"localhost\": {\n    \"user_known_hosts_file\": \"/dev/null\",\n    \"strict_host_key_checking\": \"no\"\n  },\n  \"127.0.0.1\": {\n    \"user_known_hosts_file\": \"/dev/null\",\n    \"strict_host_key_checking\": \"no\"\n  },\n  \"other*\": {\n    \"user_known_hosts_file\": \"/dev/null\",\n    \"strict_host_key_checking\": \"no\"\n  }\n}\n```\n\nThe keys are used as values with the `Host` entries. So, the configuration fragment shown above generates:\n\n```text\nHost *\nSendEnv LANG LC_*\nHashKnownHosts yes\nGSSAPIAuthentication yes\nHost localhost\nStrictHostKeyChecking no\nUserKnownHostsFile /dev/null\nHost 127.0.0.1\nStrictHostKeyChecking no\nUserKnownHostsFile /dev/null\nHost other*\nStrictHostKeyChecking no\nUserKnownHostsFile /dev/null\n```\n\n### SSH Subsystems\n\nConfigure multiple SSH subsystems (e.g. sftp, netconf):\n\n```json\n\"openssh\": {\n  \"server\": {\n    \"subsystem\": {\n      \"sftp\": \"/usr/lib/openssh/sftp-server\",\n      \"appX\": \"/usr/sbin/appX\"\n    }\n  }\n}\n```\n\nFormer declaration of single subsystem:\n\n```json\n\"openssh\": {\n  \"server\": {\n    \"subsystem\": \"sftp /usr/lib/openssh/sftp-server\"\n  }\n}\n```\n\n## Contributors\n\nThis project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890\u0026button=false)\n\n### Backers\n\nThank you to all our backers!\n\n![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600\u0026avatarHeight=40)\n\n### Sponsors\n\nSupport this project by becoming a sponsor. Your logo will show up here with a link to your website.\n\n![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100)\n![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsous-chefs%2Fopenssh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsous-chefs%2Fopenssh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsous-chefs%2Fopenssh/lists"}