Manage sshd_config file

This is based on Mozilla's Modern sshd_config from:
https://wiki.mozilla.org/Security/Guidelines/OpenSSH

Note that root login is still allowed,
because we have not yet set up per-user accounts.

The other main wrinkle is that most of our Macs are on 10.10.5,
which ships an older OpenSSH (version 6.2p2) missing support for many
of the newer cryptographic algorithms found in more recent versions,
and which additionally uses a non-standard location for the actual
sshd_config file itself, `/etc/sshd_config` not `/etc/ssh/sshd_config`.

Add a test to ensure the sshd_config file is properly parsed and
validated by the OpenSSH version on the machine to help guard
against this behavior.
However, while our machines are using 10.10.5,
our Travis configuration of `osx_image: xcode7.3` loads a 10.11 image.
Our actual builders have a variety of XCode versions,
though most of them have XCode 7.2.1.

Author: aneeshusa

.travis/dispatch.sh

@@ -137,6 +137,7 @@ else
         ./test.py sls.servo-build-dependencies.android
     fi
 
+    ./test.py sls.admin
     # Salt doesn't support timezone.system on OSX
     # See https://github.com/saltstack/salt/issues/31345
     if [[ ! "${SALT_NODE_ID}" =~ servo-mac* ]]; then

admin/files/sshd_config

@@ -0,0 +1,35 @@
+# Most of our Macs have an older version of OpenSSH,
+# so specify alternate cryptographic settings for those machines
+{% if grains['os'] != 'MacOS' %}
+HostKey /etc/ssh/ssh_host_ed25519_key
+KexAlgorithms [email protected]
+Ciphers [email protected]
+# No explicit MACs listed because poly1305 is a MAC
+{% else %}
+HostKey /etc/ssh/ssh_host_rsa_key
+KexAlgorithms diffie-hellman-group-exchange-sha256
+Ciphers [email protected],[email protected]
+MACs [email protected],[email protected],[email protected]
+{% endif %}
+
+# Only pubkey authentication is enabled, i.e. password logins are disabled
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+PubkeyAuthentication yes
+AuthenticationMethods publickey
+# TODO: Disable root login after creating per-user accounts
+#PermitRootLogin no
+
+MaxAuthTries 2
+LoginGraceTime 1m
+
+{% if grains['kernel'] == 'Linux' %}
+UsePAM yes
+# PAM does this
+PrintMotd no
+{% endif %}
+
+UsePrivilegeSeparation sandbox
+# LogLevel VERBOSE logs user's key fingerprint on login.
+# Needed to have a clear audit track of which key was using to log in.
+LogLevel VERBOSE

admin/init.sls

@@ -7,7 +7,8 @@ admin-packages:
       - tmux
       - mosh
       {% if grains['os'] != 'MacOS' %}
-      - screen # Installed by default on OS X
+      - openssh-server # Use default macOS version, not Homebrew's
+      - screen # Installed by default on macOS
       {% endif %}
 
 {% if grains['os'] != 'MacOS' and grains.get('virtual_subtype', '') != 'Docker' %}
@@ -22,6 +23,19 @@ UTC:
     - mode: 644
     - source: salt://{{ tpldir }}/files/hosts
 
+sshd_config:
+  file.managed:
+    {% if grains['os'] != 'MacOS' %}
+    - name: /etc/ssh/sshd_config
+    {% else %}
+    - name: /etc/sshd_config
+    {% endif %}
+    - user: {{ root.user }}
+    - group: {{ root.group }}
+    - mode: 644
+    - template: jinja
+    - source: salt://{{ tpldir }}/files/sshd_config
+
 sshkeys-dir:
   file.directory:
     - name: {{ root.home }}/.ssh
@@ -41,3 +55,14 @@ sshkeys:
       {% endfor %}
     - require:
       - file: sshkeys-dir
+
+{% if grains['os'] != 'MacOS' %}
+sshd:
+  service.running:
+    - name: ssh
+    - enable: True
+    - require:
+      - file: sshkeys
+    - watch:
+      - file: sshd_config
+{% endif %}

tests/sls/admin/__init__.py

@@ -0,0 +1,25 @@
+import subprocess
+import sys
+
+from tests.util import Failure, Success
+
+
+def run():
+    sshd_config = '/etc/ssh/sshd_config'
+    if sys.platform == 'darwin':
+        sshd_config = '/etc/sshd_config'
+
+    proc = subprocess.Popen(
+        ['sshd', '-T', '-f', sshd_config],
+        stdout=subprocess.DEVNULL,
+        stderr=subprocess.PIPE,
+        universal_newlines=True
+    )
+    _, stderr = proc.communicate()
+
+    if proc.returncode != 0:
+        return Failure(
+            'Invalid sshd_config file:', stderr
+        )
+
+    return Success('SSHD config file is valid')