2016-09-22 12:43:57 +00:00
---
title: About the sshd_config Resource
2018-02-16 00:28:15 +00:00
platform: linux
2016-09-22 12:43:57 +00:00
---
# sshd_config
2019-04-26 18:24:29 +00:00
Use the `sshd_config` Chef InSpec audit resource to test configuration data for the OpenSSH daemon located at `/etc/ssh/sshd_config` on Linux and Unix platforms. sshd---the OpenSSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges.
2016-09-22 12:43:57 +00:00
2017-10-03 21:35:10 +00:00
<br>
2018-08-09 12:34:49 +00:00
## Availability
### Installation
2019-04-26 18:24:29 +00:00
This resource is distributed along with Chef InSpec itself. You can use it automatically.
2018-08-09 12:34:49 +00:00
### Version
This resource first became available in v1.0.0 of InSpec.
2016-09-27 19:03:23 +00:00
## Syntax
2016-09-22 12:43:57 +00:00
An `sshd_config` resource block declares the client OpenSSH configuration data to be tested:
describe sshd_config('path') do
its('name') { should include('foo') }
end
where
* `name` is a configuration setting in `sshd_config`
* `('path')` is the non-default `/path/to/sshd_config`
* `{ should include('foo') }` tests the value of `name` as read from `sshd_config` versus the value declared in the test
2017-10-03 21:35:10 +00:00
<br>
2016-09-22 12:43:57 +00:00
2016-09-27 19:03:23 +00:00
## Examples
2016-09-22 12:43:57 +00:00
2019-04-26 18:24:29 +00:00
The following examples show how to use this Chef InSpec audit resource.
2016-09-22 12:43:57 +00:00
2016-09-27 19:03:23 +00:00
### Test which variables may be sent to the server
2016-09-22 12:43:57 +00:00
describe sshd_config do
2019-10-09 07:08:28 +00:00
its('AcceptEnv') { should include('CI_ENABLE_COVERAGE') }
2016-09-22 12:43:57 +00:00
end
2016-09-27 19:03:23 +00:00
### Test for IPv6-only addresses
2016-09-22 12:43:57 +00:00
describe sshd_config do
its('AddressFamily') { should cmp 'inet6' }
end
2016-09-27 19:03:23 +00:00
### Test the Protocol setting
2016-09-22 12:43:57 +00:00
describe sshd_config do
its('Protocol') { should cmp 2 }
end
2016-09-27 19:03:23 +00:00
### Test for approved, strong ciphers
2016-09-22 12:43:57 +00:00
describe sshd_config do
its('Ciphers') { should cmp('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
end
2016-09-27 19:03:23 +00:00
### Test SSH protocols
2016-09-22 12:43:57 +00:00
describe sshd_config do
its('Port') { should cmp 22 }
its('UsePAM') { should eq 'yes' }
its('ListenAddress') { should eq nil }
2019-12-19 17:55:44 +00:00
its('HostKey') do
should eq [
2016-09-22 12:43:57 +00:00
'/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_dsa_key',
'/etc/ssh/ssh_host_ecdsa_key',
2019-12-19 17:55:44 +00:00
]
end
2016-09-22 12:43:57 +00:00
end
2017-10-03 21:35:10 +00:00
<br>
## Matchers
2018-02-16 03:07:18 +00:00
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
2017-10-03 21:35:10 +00:00
### name
The `name` matcher tests the value of `name` as read from `sshd_config` versus the value declared in the test:
its('name') { should cmp 'foo' }
or:
its('name') {should include('bar') }
