From 196e03550a8a0efdc2e7f8699183d0c6fa50e5cb Mon Sep 17 00:00:00 2001
From: eric <er0@users.noreply.github.com>
Date: Thu, 17 Aug 2017 08:10:49 -0600
Subject: [PATCH] Make sshd_config mode 600 for rhel systems (#18)

* make sshd_config mode 600 for rhel systems

* bump version

* change attribute name to sshd_config_mode, and undo version bump
---
 attributes/default.rb         | 9 +++++++++
 definitions/openssh_server.rb | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/attributes/default.rb b/attributes/default.rb
index a0100fc..4f7041a 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -71,6 +71,15 @@
   'GSSAPIAuthentication' => 'no'
 }
 
+# sshd_config permissions
+default['sshd']['sshd_config_mode'] =
+  case node['platform_family']
+  when 'debian', 'mac_os_x'
+    '0o644'
+  when 'rhel', 'fedora'
+    '0o600'
+  end
+
 # Initialize sftp subsystem
 default['sshd']['sshd_config']['Subsystem'] =
   case node['platform_family']
diff --git a/definitions/openssh_server.rb b/definitions/openssh_server.rb
index b225b16..8a9b627 100644
--- a/definitions/openssh_server.rb
+++ b/definitions/openssh_server.rb
@@ -48,7 +48,7 @@ class Chef::Recipe
   template filename do
     owner     'root'
     group     node['root_group']
-    mode      0o644
+    mode      node['sshd']['sshd_config_mode']
     cookbook  cookbook
     source    source
     variables config: sshd_config