permit_tunnel attribute - allow tun device forwarding

README.md

@@ -55,6 +55,7 @@ override['ssh-hardening']['ssh']['server']['listen_to'] = node['ipaddress']
 * `['ssh-hardening']['ssh']['server']['allow_tcp_forwarding']` - `false`. Set to `true` to allow TCP Forwarding
 * `['ssh-hardening']['ssh']['server']['allow_agent_forwarding']` - `false`. Set to `true` to allow Agent Forwarding
 * `['ssh-hardening']['ssh']['server']['allow_x11_forwarding']` - `false`. Set to `true` to allow X11 Forwarding
+* `['ssh-hardening']['ssh']['server']['permit_tunnel']` - `false` to disable tun device forwarding. Set to `true` to allow tun device forwarding. Other accepted values: 'yes', 'no', 'point-to-point', 'ethernet'. See `man sshd_config` for exact behaviors. Note: you'll also need to enable `allow_tcp_forwarding`.
 * `['ssh-hardening']['ssh']['server']['use_pam']` - `true`. Set to `false` to disable the pam authentication of sshd
 * `['ssh-hardening']['ssh']['server']['challenge_response_authentication']` - `false`. Set to `true` to enable challenge response authentication.
 * `['ssh-hardening']['ssh']['server']['deny_users']` - `[]` to configure `DenyUsers`, if specified login is disallowed for user names that match one of the patterns.

attributes/default.rb

@@ -86,6 +86,7 @@
   server['client_alive_interval']    = 300     # 5min
   server['client_alive_count']       = 3       # ~> 3 x interval
   server['allow_root_with_key']      = false
+  server['permit_tunnel']            = false
   server['allow_tcp_forwarding']     = false
   server['allow_agent_forwarding']   = false
   server['allow_x11_forwarding']     = false

libraries/devsec_ssh.rb

@@ -126,6 +126,20 @@ def get_server_kexs(enable_weak = false)
         end
       end
 
+      # Verify values of permit_tunnel
+      def validate_permit_tunnel(value)
+        case value
+        when true
+          'yes'
+        when false
+          'no'
+        when 'yes', 'no', 'point-to-point', 'ethernet'
+          value
+        else
+          raise "Incorrect value for attribute node['ssh-hardening']['ssh']['server']['permit_tunnel']: must be boolean or a string as defined in the sshd_config man pages, you passed \"#{value}\""
+        end
+      end
+
       private
 
       # :nocov:

recipes/server.rb

@@ -177,6 +177,7 @@
     # we do lazy here to ensure we detect the version that comes with the packge update above
     lazy do
       {
+        permit_tunnel: DevSec::Ssh.validate_permit_tunnel(node['ssh-hardening']['ssh']['server']['permit_tunnel']),
         mac:          node['ssh-hardening']['ssh']['server']['mac']    || DevSec::Ssh.get_server_macs(node['ssh-hardening']['ssh']['server']['weak_hmac']),
         kex:          node['ssh-hardening']['ssh']['server']['kex']    || DevSec::Ssh.get_server_kexs(node['ssh-hardening']['ssh']['server']['weak_kex']),
         cipher:       node['ssh-hardening']['ssh']['server']['cipher'] || DevSec::Ssh.get_server_ciphers(node['ssh-hardening']['ssh']['server']['cbc_required']),

spec/libraries/devsec_ssh_spec.rb

@@ -314,4 +314,30 @@ def self.debug(*); end
       subject.send(:get_ssh_client_version)
     end
   end
+
+  describe 'validate_permit_tunnel' do
+    context 'with value of false' do
+      it 'should return no' do
+        expect(subject.send(:validate_permit_tunnel, false)).to eq 'no'
+      end
+    end
+
+    context 'with value of true' do
+      it 'should return yes' do
+        expect(subject.send(:validate_permit_tunnel, true)).to eq 'yes'
+      end
+    end
+
+    context 'with a valid string ethernet' do
+      it 'should return ethernet' do
+        expect(subject.send(:validate_permit_tunnel, 'ethernet')).to eq 'ethernet'
+      end
+    end
+
+    context 'with an invalid string' do
+      it 'should raise exception' do
+        expect { subject.send(:validate_permit_tunnel, 'IAmNotValid') }.to raise_exception('Incorrect value for attribute node[\'ssh-hardening\'][\'ssh\'][\'server\'][\'permit_tunnel\']: must be boolean or a string as defined in the sshd_config man pages, you passed "IAmNotValid"')
+      end
+    end
+  end
 end

spec/recipes/server_spec.rb

@@ -226,6 +226,36 @@
     end
   end
 
+  describe 'permit_tunnel options' do
+    let(:permit_tunnel) { false }
+
+    let(:chef_run) do
+      ChefSpec::ServerRunner.new do |node|
+        node.normal['ssh-hardening']['ssh']['server']['permit_tunnel'] = permit_tunnel
+      end.converge(described_recipe)
+    end
+
+    context 'with default value of false' do
+      it 'should set PermitTunnel to no' do
+        expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content('PermitTunnel no')
+      end
+    end
+
+    context 'with value of true' do
+      let(:permit_tunnel) { true }
+      it 'should set PermitTunnel to yes' do
+        expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content('PermitTunnel yes')
+      end
+    end
+
+    context 'with a valid string' do
+      let(:permit_tunnel) { 'ethernet' }
+      it 'should set PermitTunnel to ethernet' do
+        expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content('PermitTunnel ethernet')
+      end
+    end
+  end
+
   it 'should set UsePAM to yes per default' do
     expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content('UsePAM yes')
   end

templates/default/opensshd.conf.erb

@@ -161,7 +161,7 @@ ClientAliveInterval <%= @node['ssh-hardening']['ssh']['server']['client_alive_in
 ClientAliveCountMax <%= @node['ssh-hardening']['ssh']['server']['client_alive_count'] %>
 
 # Disable tunneling
-PermitTunnel no
+PermitTunnel <%= @permit_tunnel %>
 
 # Disable forwarding tcp connections.
 # no real advantage without denied shell access