Disable experimental client roaming

ascendantlogic · ascendantlogic · commit 958abbe03217 · 2016-01-14T13:27:25.000-05:00
diff --git a/metadata.rb b/metadata.rb
@@ -21,9 +21,8 @@
 license          "Apache 2.0"
 description      "This cookbook installs and provides secure ssh and sshd configurations."
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          "1.1.0"
+version          "1.2.0"
 
 recipe 'ssh-hardening::default', 'installs and configures ssh client and server'
 recipe 'ssh-hardening::client', 'install and apply security hardening for ssh client'
 recipe 'ssh-hardening::server', 'install and apply security hardening for ssh server'
-
diff --git a/spec/recipes/client_spec.rb b/spec/recipes/client_spec.rb
@@ -61,6 +61,11 @@
       with_content(/Ciphers [^#]*-cbc\b/)
   end
 
+  it 'disables client roaming' do
+    expect(chef_run).to render_file('/etc/ssh/ssh_config').
+      with_content(/UseRoaming no/)
+  end
+
   it 'enables ctr ciphers' do
     expect(chef_run).to render_file('/etc/ssh/ssh_config').
       with_content(/Ciphers [^#]*\baes128-ctr\b/).
diff --git a/templates/default/openssh.conf.erb b/templates/default/openssh.conf.erb
@@ -3,9 +3,9 @@
 <% end %>
 #---
 
-# This is the ssh client system-wide configuration file. 
+# This is the ssh client system-wide configuration file.
 # See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
-# 
+#
 # Created for OpenSSH v5.9
 
 # Basic configuration
@@ -49,15 +49,15 @@ StrictHostKeyChecking ask
 # CBC: is true if you want to connect with OpenSSL-base libraries
 # eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work
 # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
-# 
+#
 <% if @cipher %>
 Ciphers <%= @cipher %>
 <% end %>
 
 # **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
-# Weak HMAC is sometimes required if older package versions are used 
+# Weak HMAC is sometimes required if older package versions are used
 # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
-# 
+#
 <% if @mac %>
 MACs <%= @mac %>
 <% end %>
@@ -68,7 +68,7 @@ MACs <%= @mac %>
 # **Key Exchange Algorithms** -- Make sure not to use SHA1 for kex, unless it is really necessary
 # Weak kex is sometimes required if older package versions are used
 # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
-# 
+#
 <% if @kex %>
 KexAlgorithms <%= @kex %>
 <% end %>
@@ -108,4 +108,7 @@ PermitLocalCommand no
 Compression yes
 
 #EscapeChar ~
-#VisualHostKey yes
+#VisualHostKey yes
+
+# http://undeadly.org/cgi?action=article&sid=20160114142733
+UseRoaming no
