Manage sshd_config file

This is based on Mozilla's Modern sshd_config from:
https://wiki.mozilla.org/Security/Guidelines/OpenSSH

Note that root login is still allowed,
because we have not yet set up per-user accounts.

Add a test to ensure the sshd_config file is properly parsed and
validated by the OpenSSH version on the machine to help guard
against this behavior.

Author: aneeshusa

.travis/dispatch.sh

@@ -137,6 +137,7 @@ else
         ./test.py sls.servo-build-dependencies.android
     fi
 
+    ./test.py sls.admin
     # Salt doesn't support timezone.system on OSX
     # See https://github.com/saltstack/salt/issues/31345
     if [[ ! "${SALT_NODE_ID}" =~ servo-mac* ]]; then

admin/files/sshd_config

@@ -0,0 +1,25 @@
+HostKey /etc/ssh/ssh_host_ed25519_key
+KexAlgorithms [email protected]
+Ciphers [email protected]
+
+# Only pubkey authentication is enabled, i.e. password logins are disabled
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+PubkeyAuthentication yes
+AuthenticationMethods publickey
+# TODO: Disable root login after creating per-user accounts
+PermitRootLogin yes
+
+MaxAuthTries 2
+LoginGraceTime 1m
+
+{% if grains['kernel'] == 'Linux' %}
+UsePAM yes
+# PAM does this
+PrintMotd no
+{% endif %}
+
+UsePrivilegeSeparation sandbox
+# LogLevel VERBOSE logs user's key fingerprint on login.
+# Needed to have a clear audit track of which key was using to log in.
+LogLevel VERBOSE

admin/init.sls

@@ -7,7 +7,8 @@ admin-packages:
       - tmux
       - mosh
       {% if grains['os'] != 'MacOS' %}
-      - screen # Installed by default on OS X
+      - openssh-server # Use default macOS version, not Homebrew's
+      - screen # Installed by default on macOS
       {% endif %}
 
 {% if grains['os'] != 'MacOS' and grains.get('virtual_subtype', '') != 'Docker' %}
@@ -22,6 +23,15 @@ UTC:
     - mode: 644
     - source: salt://{{ tpldir }}/files/hosts
 
+sshd_config:
+  file.managed:
+    - name: /etc/ssh/sshd_config
+    - user: {{ root.user }}
+    - group: {{ root.group }}
+    - mode: 644
+    - template: jinja
+    - source: salt://{{ tpldir }}/files/sshd_config
+
 sshkeys-dir:
   file.directory:
     - name: {{ root.home }}/.ssh
@@ -41,3 +51,14 @@ sshkeys:
       {% endfor %}
     - require:
       - file: sshkeys-dir
+
+{% if grains['os'] != 'MacOS' %}
+sshd:
+  service.running:
+    - name: ssh
+    - enable: True
+    - require:
+      - file: sshkeys
+    - watch:
+      - file: sshd_config
+{% endif %}

tests/sls/admin/__init__.py

@@ -0,0 +1,21 @@
+import subprocess
+import sys
+
+from tests.util import Failure, Success
+
+
+def run():
+    proc = subprocess.Popen(
+        ['sshd', '-T', '-f', '/etc/ssh/sshd_config'],
+        stdout=subprocess.DEVNULL,
+        stderr=subprocess.PIPE,
+        universal_newlines=True
+    )
+    _, stderr = proc.communicate()
+
+    if proc.returncode != 0:
+        return Failure(
+            'Invalid sshd_config file:', stderr
+        )
+
+    return Success('SSHD config file is valid')