DEVHIDE
Login Or Sign up

Chef: deploy a server with root ssh access disabled?

3.3k Views Asked by At

When we provision new linux servers, we

  • create a new user with sudo rights, and...
  • block root from ssh access

And then we proceed to configure the system via the new user account. Of course we do it this way because our logs are full of hostile ssh root login attempts.

But now we're trying to use Chef (chef solo with knife-solo and librarian-chef) to build servers. Once we create a recipe that blocks ssh login from root, we can't run the recipes again.

I have seen this: How to run chef-client vagrant provisioner from custom non-root user? but it seems like "root" is hardcoded all over the place and the accepted solution would require branching all the basic cookbooks.

Any ideas on how to create a re-runnable Chef setup that includes disabling root ssh access ?

ssh root chef-infra knife-solo
Original Q&A
2

There are 2 best solutions below

3
On BEST ANSWER

It's not unusual to bootstrap servers using a non-root account. As @StephenKing pointed out, knife supports this. The following is my normal procedure:

ssh-copy-id me@hostname
knife bootstrap hostname --ssh-user me --sudo --run-list role[desired_server_role]

However, this answer assumes you're using a chef server (highly recommended)....

You are using a non-standard knife plugin to emulate this bootstrapping behavior. The documentation states that sudo will be used by the "knife solo prepare" command:

It will look up SSH information from ~/.ssh/config or in the file specified by -F. You can also pass port information (-p), identity information (-i), or a password (-P). It will use sudo to run some of these commands and will prompt you for the password if it's not supplied on the command line.

And the "knife solo bootstrap" command appears to support similar options to the standard bootstrap.

$ knife solo bootstrap -h 
knife solo bootstrap [USER@]HOSTNAME [JSON] (options)
        --no-berkshelf               Skip berks install
        --bootstrap-version VERSION  The version of Chef to install
    -N, --node-name NAME             The Chef node name for your new node
        --server-url URL             Chef Server URL
        --chef-zero-port PORT        Port to start chef-zero on
    -k, --key KEY                    API Client Key
        --[no-]color                 Use colored output, defaults to false on Windows, true otherwise
    -c, --config CONFIG              The configuration file to use
        --defaults                   Accept default values for all questions
    -d, --disable-editing            Do not open EDITOR, just accept the data as is
    -e, --editor EDITOR              Set the editor to use for interactive commands
    -E, --environment ENVIRONMENT    The Chef environment for your node
        --format FORMAT              Which format to use for output
        --[no-]host-key-verify       Verify host key, enabled by default.
    -i, --identity-file FILE         The ssh identity file
    -j JSON_ATTRIBS,                 A JSON string to be added to node config (if it does not exist)
        --json-attributes
        --no-librarian               Skip librarian-chef install
    -z, --local-mode                 Point knife commands at local repository instead of server
    -u, --user USER                  API Client Username
        --omnibus-options "OPTIONS"  Pass options to the install.sh script
        --omnibus-url URL            URL to download install.sh from
        --omnibus-version VERSION    Deprecated. Replaced with --bootstrap-version.
        --prerelease                 Install the pre-release Chef version
        --print-after                Show the data after a destructive operation
    -r, --run-list RUN_LIST          Comma separated list of roles/recipes to put to node config (if it does not exist)
    -F CONFIG_FILE,                  Alternate location for ssh config file
        --ssh-config-file
        --ssh-identity FILE          Deprecated. Replaced with --identity-file.
    -P, --ssh-password PASSWORD      The ssh password
    -p, --ssh-port PORT              The ssh port
    -x, --ssh-user USERNAME          The ssh username
    -s, --startup-script FILE        The startup script on the remote server containing variable definitions
        --sudo-command SUDO_COMMAND  The command to use instead of sudo for admin privileges
        --sync-only                  Only sync the cookbook - do not run Chef
    -V, --verbose                    More verbose output. Use twice for max verbosity
    -v, --version                    Show chef version
    -W, --why-run                    Enable whyrun mode
    -y, --yes                        Say yes to all prompts for confirmation
    -h, --help                       Show this message

I notice all kinds of funky stuff including an option to use chef zero (a feature now supported in chef-client).

Hope this helps, but I'd advise considering the use of chef-server. It's easy to stand up and you will then be following a standard way of using chef.

Update

An interesting read:

0
On

It works with sudo as well (knife bootstrap and, of course, running sudo chef-client).

Related Questions in SSH

Related Questions in ROOT

Related Questions in CHEF-INFRA

Related Questions in KNIFE-SOLO

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.