add windows support

cookbooks/fb_ssh/README.md

@@ -25,31 +25,36 @@ packages for ssh.
 You can skip package management if you have local packages or otherwise need to
 do your own management by setting `manage_packages` to false.
 
+Given the many ways to manage packages on Windows, especially for SSH,
+we default `manage_packages` to false on Windows.
+
 ### Server configuration (sshd_config)
 The `sshd_config` hash holds configs that go into `/etc/ssh/sshd_config`. In
 general each key can have one of three types, bool, string/ints, or array.
 
 Bools are translated into `yes`/`no` when emitted into the config file. These
 are straight-forward:
 
-```
+```ruby
 node.default['fb_ssh']['sshd_config']['PubkeyAuthentication'] = true
 ```
 
 Becomes:
-```
+
+```text
 PubkeyAuthentication yes
 ```
 
 Strings and ints are always treated like normal strings:
 
-```
+```ruby
 node.default['fb_ssh']['sshd_config']['ClientAliveInterval'] = 0
 node.default['fb_ssh']['sshd_config']['ForceCommand'] = '/bin/false'
 ```
 
 Becomes:
-```
+
+```text
 ClientAliveInterval 0
 ForceCommand /bin/false
 ```
@@ -59,7 +64,7 @@ here to make management easy, one could clearly take a multi-value value key
 and make it a string and it would work, but we support arrays to make modifying
 the value later in the runlist easier. For example:
 
-```
+```ruby
 node.default['fb_ssh']['sshd_config']['AuthorizedKeysFile'] = [
   '.ssh/authorized_keys',
   '.ssh/authorized_keys2',
@@ -68,13 +73,14 @@ node.default['fb_ssh']['sshd_config']['AuthorizedKeysFile'] = [
 
 Means later it's easy for someone to do:
 
-```
+```ruby
 node.default['fb_ssh']['sshd_config']['AuthorizedKeysFile'].
   delete('.ssh/authorized_keys2')
 ```
 
 or:
-```
+
+```ruby
 node.default['fb_ssh']['sshd_config']['AuthorizedKeysFile'] <<
   '/etc/ssh/authorized_keys/%u'
 ```
@@ -96,7 +102,7 @@ change the order of your match statements, so be careful.
 Match statements are the exception to the datatype rule above - their value is
 a hash, and that hash is treated the same as the top-level sshd_config hash:
 
-```
+```ruby
 node.default['fb_ssh']['sshd_config']['Match Address 1.2.3.4'] => {
   'PasswordAuthentication' => true,
 }
@@ -114,7 +120,7 @@ happen:
    `node['fb_ssh']['authorized_principals_users']`. The format of the
    `authorized_principals` attribute is:
 
-```
+```ruby
 node.default['fb_ssh']['authorized_principals'][$USER] = ['one', 'two']
 ```
 
@@ -130,15 +136,15 @@ These work similarly to Authorized Principals. If you set
    `node['fb_ssh']['authorized_keys_users']`. The format of the items
    in databag is:
 
-```
+```ruby
 {
   'id': $USER,
   'keyname1': $KEY1,
   'keyname2': $KEY2,
   ...
 }
 ```
-    
+
 There should be one item for each user, as many keys as you'd like may
 be in that item.
 
@@ -151,11 +157,17 @@ node.default['fb_ssh']['authorized_keys']['john']['key1'] = '...'
 
 Anything in the node overrides databags.
 
+*NOTE FOR WINDOWS USERS*: On Windows the keys are managed in the homedirectory,
+not in a central location. This is because usernames are often in the format of
+`domain\user`, which means that `%u` causes sshd to expand the path to
+`C:\ProgramData\ssh\authorized_keys\domain\\user`, which is an illegal filename
+you can never make.
+
 ### Client config (ssh_config)
 The client config works the same as the server config, except the special-case
 is `Host` keys instead of `Match` keys. As an example:
 
-```
+```ruby
 node.default['fb_ssh']['ssh_config']['ForwardAgent'] = true
 node.default['fb_ssh']['ssh_config']['Host *.cool.com'] = {
   'ForwardX11' => true,

cookbooks/fb_ssh/attributes/default.rb

@@ -32,7 +32,7 @@
 
 default['fb_ssh'] = {
   'enable_central_authorized_keys' => false,
-  'manage_packages' => true,
+  'manage_packages' => !node.windows?,
   'sshd_config' => {
     'PermitRootLogin' => false,
     'UsePAM' => true,

cookbooks/fb_ssh/libraries/default.rb

@@ -17,9 +17,13 @@
 
 module FB
   class SSH
+    def self.confdir(node)
+      node.windows? ? 'C:/ProgramData/ssh' : '/etc/ssh'
+    end
+
     DESTDIR = {
-      'keys' => '/etc/ssh/authorized_keys',
-      'principals' => '/etc/ssh/authorized_princs',
+      'keys' => 'authorized_keys',
+      'principals' => 'authorized_princs',
     }.freeze
   end
 end

cookbooks/fb_ssh/metadata.rb

@@ -27,3 +27,4 @@
 supports 'centos'
 supports 'debian'
 supports 'ubuntu'
+supports 'windows'

cookbooks/fb_ssh/recipes/default.rb

@@ -21,11 +21,14 @@
 client_pkg = value_for_platform_family(
   ['rhel', 'fedora'] => 'openssh-clients',
   ['debian'] => 'openssh-client',
+  # not used, but keeps the resource compiling
+  ['windows'] => 'openssh-client',
 )
 
 svc = value_for_platform_family(
   ['rhel', 'fedora'] => 'sshd',
   ['debian'] => 'ssh',
+  ['windows'] => 'sshd',
 )
 
 package client_pkg do
@@ -34,11 +37,13 @@
 end
 
 package 'openssh-server' do
+  only_if { node['fb_ssh']['manage_packages'] }
   action :upgrade
   notifies :restart, 'service[ssh]'
 end
 
 whyrun_safe_ruby_block 'handle late binding ssh configs' do
+  not_if { node.windows? }
   block do
     %w{keys principals}.each do |type|
       enable_name = "enable_central_authorized_#{type}"
@@ -50,30 +55,38 @@
           )
         end
         node.default['fb_ssh']['sshd_config'][cfgname] =
-          "#{FB::SSH::DESTDIR[type]}/%u"
+          File.join(FB::SSH.confdir(node), FB::SSH::DESTDIR[type], '%u')
       end
     end
   end
 end
 
-template '/etc/ssh/sshd_config' do
+template ::File.join(FB::SSH.confdir(node), 'sshd_config') do
   source 'ssh_config.erb'
-  owner 'root'
-  group 'root'
-  mode '0644'
+  unless node.windows?
+    owner 'root'
+    group 'root'
+    mode '0644'
+    if node.windows?
+      verify '"C:/Program Files/OpenSSH-Win64/sshd.exe" -t -f %{path}'
+    else
+      verify '/usr/sbin/sshd -t -f %{path}'
+    end
+  end
   variables({ :type => 'sshd_config' })
-  verify '/usr/sbin/sshd -t -f %{path}'
   # in firstboot we may not be able to get in until ssh is restarted
   # on the desired config, so restart immediately. Otherwise, delay
   ntype = node.firstboot_any_phase? ? :immediately : :delayed
   notifies :restart, 'service[ssh]', ntype
 end
 
-template '/etc/ssh/ssh_config' do
+template ::File.join(FB::SSH.confdir(node), 'ssh_config') do
   source 'ssh_config.erb'
-  owner 'root'
-  group 'root'
-  mode '0644'
+  unless node.windows?
+    owner 'root'
+    group 'root'
+    mode '0644'
+  end
   variables({ :type => 'ssh_config' })
 end
 
@@ -94,3 +107,9 @@
   service_name svc
   action [:enable, :start]
 end
+
+if node.windows?
+  service 'ssh-agent' do
+    action [:enable, :start]
+  end
+end

cookbooks/fb_ssh/resources/authorization.rb

@@ -17,12 +17,14 @@
 
 action_class do
   def manage(type)
-    keydir = FB::SSH::DESTDIR[type]
+    keydir = ::File.join(FB::SSH.confdir(node), FB::SSH::DESTDIR[type])
 
     directory keydir do
-      owner 'root'
-      group 'root'
-      mode '0755'
+      unless node.windows?
+        owner 'root'
+        group 'root'
+        mode '0755'
+      end
     end
 
     unless node['fb_ssh']["authorized_#{type}_users"].empty?
@@ -40,11 +42,35 @@ def manage(type)
     auth_map.each_key do |user|
       next if allowed_users && !allowed_users.include?(user)
 
-      template "#{keydir}/#{user}" do
+      # windows sucks and on ssh the "username" is "corp\\whatever" which is
+      # not a valid file name. Ugh. So we leave it in the user's homedir
+      if node.windows?
+        user = user.split('\\').last
+        homedir = "C:/Users/#{user}"
+        keyfile = "#{homedir}/.ssh/authorized_keys"
+        # users who don't have homedirectories, we skip
+        next unless ::File.exist?(homedir)
+
+        directory "#{homedir}/.ssh" do
+          rights :read, user
+          rights :full_control, 'Administrators'
+          inherits false
+        end
+      else
+        keyfile = "#{keydir}/#{user}"
+      end
+
+      template keyfile do
         source "authorized_#{type}.erb"
-        owner 'root'
-        group 'root'
-        mode '0644'
+        if node.windows?
+          rights :read, user
+          rights :full_control, 'Administrators'
+          inherits false
+        else
+          owner 'root'
+          group 'root'
+          mode '0644'
+        end
         if type == 'keys' && !auth_map[user]
           d = data_bag_item('fb_ssh_authorized_keys', user)
           d.delete('id')