cfbs add delete-home-dotshosts
Host-based authentication with ~/.shosts is the equivalent to /etc/ssh/.shosts.equiv.
It allows individual users to define a list of trusted remote machines, or user-machine pairs, which are allowed to try host-based authentication.
However a global .shosts.equiv is preferable to having .shosts in each and every home directory.
Recommendation: Do not use user defined host based authentication. Use this delete-home-dotshosts module to inventory and delete ~/.shosts files. This ensures you are protected in the future, if somebody adds a ~/.shosts file.
With Mission Portal you can find hosts which have ~/.shosts files and details about reasons for exception:
If you try creating a ~/.shosts file running the agent with this module, you should see it get removed:
Example output with an exception present:
$ sudo touch /root/.shosts /home/vagrant/.shosts
# sudo cf-agent -KI
R: Found /home/vagrant/.shosts, /root/.shosts, but not removing because of exception: I got an exception for .shosts from the security czar. See JIRA-1234 for more info.
Example output without exception present:
$ sudo cf-agent -KI
info: Deleted file '/home/vagrant/.shosts'
info: Deleted file '/root/.shosts'
Define a variable delete_home_dotshosts:main.home_dir_roots as a string list with each element being a home directory root to search.
One easy way to define a variable is using augments (another is using Host specific data, as seen below).
If ~/.shosts files are really needed on some hosts, you can add an exception in one of two ways:
exception_delete_home_dotshosts class.delete_home_dotshosts:main.exception variable as a string with the reason for the exception as its value.Functionally, they do the same, but the variable allows you to list the reasons for exceptions in an Inventory report (as seen above). This can be done from the Host specific data section in host info pages inside Mission Portal, the CFEngine Enterprise Web UI. Here is an example of setting the variable:
This module has no dependencies