From 067db68fa3a83b4af8e2ea468221f1b6a6400606 Mon Sep 17 00:00:00 2001 From: Gabor Gombas Date: Fri, 11 Jan 2019 12:32:44 +0100 Subject: [PATCH 01/14] ncm-metaconfig/ssh: Minor reformatting --- .../src/main/metaconfig/ssh/client_attrs.tt | 21 +++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt b/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt index 6a747dbd12..ec22e4559d 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt @@ -3,12 +3,21 @@ 'MACs', 'PreferredAuthentications', 'CanonicalDomains', 'CanonicalizePermittedCNAMEs', 'KexAlgorithms', ] -%] [% multilinelist = ['IdentityFile', 'RevokedHostKeys'] -%] -[% booleans = ['BatchMode', 'CanonicalizeFallbackLocal', 'ChallengeResponseAuthentication', 'CheckHostIP', - 'ClearAllForwardings', 'Compression', 'EnableSSHKeysign', 'ExitOnForwardFailure', 'ForwardAgent', 'ForwardX11', - 'ForwardX11Trusted', 'GatewayPorts', 'GSSAPIAuthentication', 'GSSAPIDelegateCredentials', 'HashKnownHosts', - 'HostbasedAuthentication', 'IdentitiesOnly', 'KbdInteractiveAuthentication', 'NoHostAuthenticationForLocalhost', - 'PasswordAuthentication', 'PermitLocalCommand', 'ProxyUseFdpass', 'PubkeyAuthentication', 'RhostsRSAAuthentication', - 'RSAAuthentication', 'StreamLocalBindUnlink', 'TCPKeepAlive', 'UsePrivilegedPort', 'VisualHostKey', +[% booleans = ['BatchMode', + 'CanonicalizeFallbackLocal', 'ChallengeResponseAuthentication', 'CheckHostIP', 'ClearAllForwardings', 'Compression', + 'EnableSSHKeysign', 'ExitOnForwardFailure', + 'ForwardAgent', 'ForwardX11', 'ForwardX11Trusted', + 'GatewayPorts', 'GSSAPIAuthentication', 'GSSAPIDelegateCredentials', + 'HashKnownHosts', 'HostbasedAuthentication', + 'IdentitiesOnly', + 'KbdInteractiveAuthentication', + 'NoHostAuthenticationForLocalhost', + 'PasswordAuthentication', 'PermitLocalCommand', 'ProxyUseFdpass', 'PubkeyAuthentication', + 'RhostsRSAAuthentication', 'RSAAuthentication', + 'StreamLocalBindUnlink', + 'TCPKeepAlive', + 'UsePrivilegedPort', + 'VisualHostKey', ] -%] [%- FOREACH pair IN data.pairs -%] From aebeab5fc5c3f7cc2557b6e8f3536ce0a9500d03 Mon Sep 17 00:00:00 2001 From: Gabor Gombas Date: Fri, 11 Jan 2019 12:36:56 +0100 Subject: [PATCH 02/14] ncm-metaconfig/ssh: Add more client options --- .../src/main/metaconfig/ssh/client_attrs.tt | 16 +++++++++++----- .../src/main/metaconfig/ssh/pan/schema.pan | 17 +++++++++++++++++ .../ssh/tests/profiles/client_allopts.pan | 16 ++++++++++++++++ .../ssh/tests/regexps/client_allopts/base | 17 +++++++++++++++++ 4 files changed, 61 insertions(+), 5 deletions(-) diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt b/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt index ec22e4559d..3d331f0e3c 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt @@ -1,13 +1,15 @@ -[% spacelist = ['SendEnv', 'GlobalKnownHostsFile', 'IgnoreUnknown', 'UserKnownHostsFile' ] -%] -[% commalist = ['Ciphers', 'HostbasedKeyTypes','HostKeyAlgorithms', 'KbdInteractiveDevices', 'KbdInteractiveDevices', - 'MACs', 'PreferredAuthentications', 'CanonicalDomains', 'CanonicalizePermittedCNAMEs', 'KexAlgorithms', +[% spacelist = ['SendEnv', 'GlobalKnownHostsFile', 'IgnoreUnknown', 'Include', 'UserKnownHostsFile' ] -%] +[% commalist = ['CASignatureAlgorithms', 'CanonicalDomains', 'CanonicalizePermittedCNAMEs', 'Ciphers', + 'GSSAPIKexAlgorithms', 'HostbasedKeyTypes','HostKeyAlgorithms', + 'KbdInteractiveDevices', 'KexAlgorithms', 'KbdInteractiveDevices', + 'MACs', 'PreferredAuthentications', 'PubkeyAcceptedKeyTypes', 'ProxyJump', ] -%] -[% multilinelist = ['IdentityFile', 'RevokedHostKeys'] -%] +[% multilinelist = ['CertificateFile', 'IdentityFile', 'RevokedHostKeys'] -%] [% booleans = ['BatchMode', 'CanonicalizeFallbackLocal', 'ChallengeResponseAuthentication', 'CheckHostIP', 'ClearAllForwardings', 'Compression', 'EnableSSHKeysign', 'ExitOnForwardFailure', 'ForwardAgent', 'ForwardX11', 'ForwardX11Trusted', - 'GatewayPorts', 'GSSAPIAuthentication', 'GSSAPIDelegateCredentials', + 'GatewayPorts', 'GSSAPIAuthentication', 'GSSAPIDelegateCredentials', 'GSSAPIKeyExchange', 'GSSAPIRenewalForcesRekey', 'GSSAPITrustDns', 'HashKnownHosts', 'HostbasedAuthentication', 'IdentitiesOnly', 'KbdInteractiveAuthentication', @@ -33,6 +35,10 @@ [% FOREACH line IN pair.value -%] [% pair.key %] [% line %] [% END -%] +[% CASE 'SetEnv' -%] +[% FOREACH item IN pair.value.pairs -%] +SetEnv [% item.key %]="[% item.value %]" +[% END -%] [% CASE -%] [% pair.key %] [% pair.value %] [% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan index 25b47c179c..a79f2b5845 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan @@ -17,17 +17,22 @@ type temp_ssh_kexalgorithms = string with match (SELF, "^(diffie-hellman-group(1 type temp_ssh_MACs = string with match(SELF, "^(hmac-(sha1|sha1-96|sha2-256|sha2-512|md5|md5-96|ripemd160)|" + "(hmac-ripemd160|umac-64|umac-128|hmac-sha1-etm|hmac-sha1-96-etm|hmac-sha2-256-etm|hmac-sha2-512-etm|" + "hmac-md5-etm|hmac-md5-96-etm|hmac-ripemd160-etm|umac-64-etm|umac-128-etm)@openssh.com)$"); +type temp_ssh_CAAlgorithms = string with match(SELF, "^(ecdsa-sha2-nistp(256|384|521)|ssh-ed25519|rsa-sha2-(256|512)|ssh-rsa)$"); type ssh_config_opts = { + 'AddKeysToAgent' ? string with match (SELF, "^(yes|no|ask|confirm)$") 'AddressFamily' ? string with match (SELF, "^(any|inet|inet6)$") 'BatchMode' ? boolean 'BindAddress' ? string + 'BindInterface' ? string 'CanonicalDomains' ? string[] 'CanonicalizeFallbackLocal' ? boolean 'CanonicalizeHostname' ? string with match (SELF, "^(yes|no|always)$") 'CanonicalizeMaxDots' ? long(0..) 'CanonicalizePermittedCNAMEs' ? string[] + 'CASignatureAlgorithms' ? temp_ssh_CAAlgorithms[] + 'CertificateFile' ? string[] 'ChallengeResponseAuthentication' ? boolean 'CheckHostIP' ? boolean 'Cipher' ? string with match (SELF, "^(blowfish|3des|des)$") @@ -52,7 +57,12 @@ type ssh_config_opts = { 'GatewayPorts' ? boolean 'GlobalKnownHostsFile' ? string[] 'GSSAPIAuthentication' ? boolean + 'GSSAPIClientIdentity' ? string 'GSSAPIDelegateCredentials' ? boolean + 'GSSAPIKeyExchange' ? boolean + 'GSSAPIRenewalForcesRekey' ? boolean + 'GSSAPIServerIdentity' ? string + 'GSSAPITrustDns' ? boolean 'HashKnownHosts' ? boolean 'HostbasedAuthentication' ? boolean 'HostbasedKeyTypes' ? string[] @@ -60,8 +70,10 @@ type ssh_config_opts = { 'HostKeyAlias' ? string 'HostName' ? string 'IdentitiesOnly' ? boolean + 'IdentityAgent' ? string 'IdentityFile' ? string[] 'IgnoreUnknown' ? string[] + 'Include' ? string[] 'IPQoS' ? string with match (SELF, "^(af[1234][123]|cs[0-7]|ef|lowdelay|throughput|reliability)$") 'KbdInteractiveAuthentication' ? boolean 'KbdInteractiveDevices' ? temp_ssh_kbdinteractivedevices[] @@ -79,9 +91,12 @@ type ssh_config_opts = { 'PreferredAuthentications' ? string[] 'Protocol' ? long(1..2) 'ProxyCommand' ? string + 'ProxyJump' ? string[] 'ProxyUseFdpass' ? boolean + 'PubkeyAcceptedKeyTypes' ? temp_ssh_hostkeyalgorithms[] 'PubkeyAuthentication' ? boolean 'RekeyLimit' ? string + 'RemoteCommand' ? string 'RemoteForward' ? string 'RequestTTY' ? string with match (SELF, "^(yes|no|force|auto)$") 'RevokedHostKeys' ? string[] @@ -90,9 +105,11 @@ type ssh_config_opts = { 'SendEnv' ? string[] 'ServerAliveCountMax' ? long(0..) 'ServerAliveInterval' ? long(0..) + 'SetEnv' ? string{} 'StreamLocalBindMask' ? string 'StreamLocalBindUnlink' ? boolean 'StrictHostKeyChecking' ? string with match (SELF, "^(yes|no|ask)$") + 'SyslogFacility' ? string with match(SELF, "^(DAEMON|USER|AUTH|LOCAL[0-7])$") 'TCPKeepAlive' ? boolean 'Tunnel' ? string with match (SELF, "^(yes|no|point-to-point|ethernet)$") 'TunnelDevice' ? string diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_allopts.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_allopts.pan index dc93c9c719..c7f5db70f4 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_allopts.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_allopts.pan @@ -4,13 +4,17 @@ include 'metaconfig/ssh/client_config'; prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents"; +"main/AddKeysToAgent" = "confirm"; "main/AddressFamily" = "any"; "main/BatchMode" = true; "main/BindAddress" = "192.168.1.1"; +"main/BindInterface" = "eth0"; +"main/CASignatureAlgorithms" = list("ssh-ed25519", "rsa-sha2-512"); "main/CanonicalDomains" = list(".com", ".eu"); "main/CanonicalizeFallbackLocal" = true; "main/CanonicalizeHostname" = "always"; "main/CanonicalizePermittedCNAMEs" = list("*.a.example.com:*.b.example.com", "*.c.example.com"); +"main/CertificateFile" = list("/absolute/path", "~/home/relative"); "main/ChallengeResponseAuthentication" = false; "main/CheckHostIP" = true; "main/Cipher" = "3des"; @@ -35,7 +39,12 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents" "main/GatewayPorts" = false; "main/GlobalKnownHostsFile" = list("/etc/ssh/ssh_known_hosts", "/etc/ssh/ssh_known_hosts2"); "main/GSSAPIAuthentication" = false; +"main/GSSAPIClientIdentity" = "custom"; "main/GSSAPIDelegateCredentials" = false; +"main/GSSAPIKeyExchange" = true; +"main/GSSAPIRenewalForcesRekey" = true; +"main/GSSAPIServerIdentity" = "server@principal"; +"main/GSSAPITrustDns" = false; "main/HashKnownHosts" = false; "main/HostbasedAuthentication" = true; "main/HostbasedKeyTypes" = list("*"); @@ -43,8 +52,10 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents" "main/HostKeyAlias" = "hostname2"; "main/HostName" = "%h"; "main/IdentitiesOnly" = true; +"main/IdentityAgent" = "none"; "main/IdentityFile" = list("~/.ssh/identity", "~/.ssh/id_rsa", "~/.ssh/id_dsa"); "main/IgnoreUnknown" = list("IPQoS", "KbdInteractiveAuthentication"); +"main/Include" = list("/absolute/path", "~/home/relative", "sshconf_relative"); "main/IPQoS" = "throughput"; "main/KbdInteractiveAuthentication" = true; "main/KbdInteractiveDevices" = list("pam", "skey"); @@ -62,9 +73,12 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents" "main/PreferredAuthentications" = list("gssapi-with-mic", "hostbased", "publickey"); "main/Protocol" = 2; "main/ProxyCommand" = "ssh -q -W %h:%p gateway.example.com"; +"main/ProxyJump" = list("user1@host1", "user2@host2"); "main/ProxyUseFdpass" = false; +"main/PubkeyAcceptedKeyTypes" = list("ssh-rsa"); "main/PubkeyAuthentication" = true; "main/RekeyLimit" = "1G"; +"main/RemoteCommand" = "cat /etc/motd"; "main/RemoteForward" = "*"; "main/RequestTTY" = "force"; "main/RevokedHostKeys" = list("~/.ssh/revokedkeys.txt"); @@ -73,9 +87,11 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents" "main/SendEnv" = list("LANG", "LC_CTYPE", "LC_NUMERIC", "LC_TIME"); "main/ServerAliveCountMax" = 4; "main/ServerAliveInterval" = 0; +"main/SetEnv" = dict("LC_ALL", "C", "TERM", "xterm"); "main/StreamLocalBindMask" = "0177"; "main/StreamLocalBindUnlink" = false; "main/StrictHostKeyChecking" = "ask"; +"main/SyslogFacility" = "LOCAL1"; "main/TCPKeepAlive" = true; "main/Tunnel" = "ethernet"; "main/TunnelDevice" = "tun0"; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base index 9c9de6832a..aea872fec0 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base @@ -2,13 +2,17 @@ Base test for all ssh client config options --- /etc/ssh/ssh_config --- +^AddKeysToAgent\sconfirm$ ^AddressFamily\sany$ ^BatchMode\sYes$ ^BindAddress\s192\.168\.1\.1$ +^CASignatureAlgorithms\sssh-ed25519,rsa-sha2-512$ ^CanonicalDomains\s\.com,\.eu$ ^CanonicalizeFallbackLocal\sYes$ ^CanonicalizeHostname\salways$ ^CanonicalizePermittedCNAMEs\s\*\.a\.example\.com:\*\.b\.example\.com,\*\.c\.example\.com$ +^CertificateFile\s/absolute/path$ +^CertificateFile\s~/home/relative$ ^ChallengeResponseAuthentication\sNo$ ^CheckHostIP\sYes$ ^Cipher\s3des$ @@ -31,7 +35,12 @@ Base test for all ssh client config options ^ForwardX11Timeout\s10$ ^ForwardX11Trusted\sNo$ ^GSSAPIAuthentication\sNo$ +^GSSAPIClientIdentity\scustom$ ^GSSAPIDelegateCredentials\sNo$ +^GSSAPIKeyExchange\sYes$ +^GSSAPIRenewalForcesRekey\sYes$ +^GSSAPIServerIdentity\sserver@principal$ +^GSSAPITrustDns\sNo$ ^GatewayPorts\sNo$ ^GlobalKnownHostsFile\s/etc/ssh/ssh_known_hosts\s/etc/ssh/ssh_known_hosts2$ ^HashKnownHosts\sNo$ @@ -42,10 +51,12 @@ Base test for all ssh client config options ^HostbasedKeyTypes\s\*$ ^IPQoS\sthroughput$ ^IdentitiesOnly\sYes$ +^IdentityAgent\snone$ ^IdentityFile\s~/\.ssh/identity$ ^IdentityFile\s~/\.ssh/id_rsa$ ^IdentityFile\s~/\.ssh/id_dsa$ ^IgnoreUnknown\sIPQoS\sKbdInteractiveAuthentication$ +^Include\s/absolute/path\s~/home/relative\ssshconf_relative$ ^KbdInteractiveAuthentication\sYes$ ^KbdInteractiveDevices\spam,skey$ ^KexAlgorithms\secdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521$ @@ -62,10 +73,13 @@ Base test for all ssh client config options ^PreferredAuthentications\sgssapi-with-mic,hostbased,publickey$ ^Protocol\s2$ ^ProxyCommand\sssh\s-q\s-W\s%h:%p\sgateway\.example\.com$ +^ProxyJump\suser1@host1,user2@host2$ ^ProxyUseFdpass\sNo$ +^PubkeyAcceptedKeyTypes\sssh-rsa$ ^PubkeyAuthentication\sYes$ ^RSAAuthentication\sYes$ ^RekeyLimit\s1G$ +^RemoteCommand\scat /etc/motd$ ^RemoteForward\s\*$ ^RequestTTY\sforce$ ^RevokedHostKeys\s~/\.ssh/revokedkeys\.txt$ @@ -73,9 +87,12 @@ Base test for all ssh client config options ^SendEnv\sLANG\sLC_CTYPE\sLC_NUMERIC\sLC_TIME$ ^ServerAliveCountMax\s4$ ^ServerAliveInterval\s0$ +^SetEnv\sLC_ALL="C"$ +^SetEnv\sTERM="xterm"$ ^StreamLocalBindMask\s0177$ ^StreamLocalBindUnlink\sNo$ ^StrictHostKeyChecking\sask$ +^SyslogFacility\sLOCAL1$ ^TCPKeepAlive\sYes$ ^Tunnel\sethernet$ ^TunnelDevice\stun0$ From d1f9b3c009c285f5d9f51fd4ea6c003fe8ffbf60 Mon Sep 17 00:00:00 2001 From: Gabor Gombas Date: Fri, 11 Jan 2019 12:59:18 +0100 Subject: [PATCH 03/14] ncm-metaconfig/ssh: Allow using key sets relative to the defaults Add support for prefixing various key types with "+" or "-" to indicate relative changes to the built-in defaults. --- ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan | 10 +++++----- .../metaconfig/ssh/tests/profiles/client_allopts.pan | 2 +- .../metaconfig/ssh/tests/regexps/client_allopts/base | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan index a79f2b5845..46d3049c37 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan @@ -5,19 +5,19 @@ include 'pan/types'; # rename these types to prevent conflicts # we will remove these in an upcoming pr after template-library-core # has been updated with the new types from ncm-ssh -type temp_ssh_ciphers = string with match (SELF, "^((blowfish|3des|aes128|aes192|aes256|cast128)-cbc" + +type temp_ssh_ciphers = string with match (SELF, "^[+-]?((blowfish|3des|aes128|aes192|aes256|cast128)-cbc" + "|(aes128|aes192|aes256)-ctr|arcfour|arcfour(128|256)|(aes128-gcm|aes256-gcm|chacha20-poly1305)@openssh.com)$"); -type temp_ssh_hostkeyalgorithms = string with match(SELF, "^(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp(256|384|521)|" + +type temp_ssh_hostkeyalgorithms = string with match(SELF, "^[+-]?(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp(256|384|521)|" + "(ssh-rsa-cert-v01|ssh-dss-cert-v01|ecdsa-sha2-nistp256-cert-v01|ecdsa-sha2-nistp384-cert-v01|" + "ecdsa-sha2-nistp521-cert-v01|ssh-rsa-cert-v00|ssh-dss-cert-v00|ssh-ed25519-cert-v01)@openssh.com)$"); type temp_ssh_kbdinteractivedevices = string with match (SELF, "^(bsdauth|pam|skey)$"); -type temp_ssh_kexalgorithms = string with match (SELF, "^(diffie-hellman-group(1-sha1|14-sha1|-exchange-sha1|" + +type temp_ssh_kexalgorithms = string with match (SELF, "^[+-]?(diffie-hellman-group(1-sha1|14-sha1|-exchange-sha1|" + "-exchange-sha256)|ecdh-sha2-nistp(256|384|521)|curve25519-sha256@libssh.org|gss-gex-sha1-|" + "gss-group1-sha1-|gss-group14-sha1-)$"); -type temp_ssh_MACs = string with match(SELF, "^(hmac-(sha1|sha1-96|sha2-256|sha2-512|md5|md5-96|ripemd160)|" + +type temp_ssh_MACs = string with match(SELF, "^[+-]?(hmac-(sha1|sha1-96|sha2-256|sha2-512|md5|md5-96|ripemd160)|" + "(hmac-ripemd160|umac-64|umac-128|hmac-sha1-etm|hmac-sha1-96-etm|hmac-sha2-256-etm|hmac-sha2-512-etm|" + "hmac-md5-etm|hmac-md5-96-etm|hmac-ripemd160-etm|umac-64-etm|umac-128-etm)@openssh.com)$"); -type temp_ssh_CAAlgorithms = string with match(SELF, "^(ecdsa-sha2-nistp(256|384|521)|ssh-ed25519|rsa-sha2-(256|512)|ssh-rsa)$"); +type temp_ssh_CAAlgorithms = string with match(SELF, "^[+-]?(ecdsa-sha2-nistp(256|384|521)|ssh-ed25519|rsa-sha2-(256|512)|ssh-rsa)$"); type ssh_config_opts = { diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_allopts.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_allopts.pan index c7f5db70f4..4d33f2cf91 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_allopts.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_allopts.pan @@ -75,7 +75,7 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents" "main/ProxyCommand" = "ssh -q -W %h:%p gateway.example.com"; "main/ProxyJump" = list("user1@host1", "user2@host2"); "main/ProxyUseFdpass" = false; -"main/PubkeyAcceptedKeyTypes" = list("ssh-rsa"); +"main/PubkeyAcceptedKeyTypes" = list("-ssh-rsa"); "main/PubkeyAuthentication" = true; "main/RekeyLimit" = "1G"; "main/RemoteCommand" = "cat /etc/motd"; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base index aea872fec0..d197462f98 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base @@ -75,7 +75,7 @@ Base test for all ssh client config options ^ProxyCommand\sssh\s-q\s-W\s%h:%p\sgateway\.example\.com$ ^ProxyJump\suser1@host1,user2@host2$ ^ProxyUseFdpass\sNo$ -^PubkeyAcceptedKeyTypes\sssh-rsa$ +^PubkeyAcceptedKeyTypes\s-ssh-rsa$ ^PubkeyAuthentication\sYes$ ^RSAAuthentication\sYes$ ^RekeyLimit\s1G$ From 937ffedbf2ba71f08edc10e155cbc279f55a4c39 Mon Sep 17 00:00:00 2001 From: Gabor Gombas Date: Wed, 17 Oct 2018 18:01:03 +0200 Subject: [PATCH 04/14] ncm-metaconfig/ssh: Implement SSH daemon configuration The main driver was getting support for "Match ..." blocks, which would have been more dificult to add to ncm-ssh. --- .../src/main/metaconfig/ssh/pan/schema.pan | 109 ++++++++++++++++++ .../main/metaconfig/ssh/pan/server_config.pan | 8 ++ .../src/main/metaconfig/ssh/server.tt | 7 ++ .../src/main/metaconfig/ssh/server_attrs.tt | 44 +++++++ .../ssh/tests/profiles/server_allopts.pan | 96 +++++++++++++++ .../ssh/tests/profiles/server_config.pan | 17 +++ .../ssh/tests/regexps/server_allopts/base | 99 ++++++++++++++++ .../ssh/tests/regexps/server_config/base | 9 ++ 8 files changed, 389 insertions(+) create mode 100644 ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan create mode 100644 ncm-metaconfig/src/main/metaconfig/ssh/server.tt create mode 100644 ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt create mode 100644 ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_allopts.pan create mode 100644 ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan create mode 100644 ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base create mode 100644 ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan index 46d3049c37..f6d1792732 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan @@ -140,3 +140,112 @@ type ssh_config_file = { 'main' ? ssh_config_opts }; +# Not all options may appear inside a Match block +type sshd_config_match_opts = { + 'AcceptEnv' ? string[] + 'AllowAgentForwarding' ? boolean + 'AllowGroups' ? string[] + 'AllowStreamLocalForwarding' ? string with match (SELF, "^(yes|all|no|local|remote)$") + 'AllowTcpForwarding' ? string with match (SELF, "^(yes|all|no|local|remote)$") + 'AllowUsers' ? string[] + 'AuthenticationMethods' ? string[] # Don't go into details - it does not seem to worth the effort + 'AuthorizedKeysCommand' ? absolute_file_path + 'AuthorizedKeysCommandUser' ? string + 'AuthorizedKeysFile' ? string[] + 'AuthorizedPrincipalsCommand' ? absolute_file_path + 'AuthorizedPrincipalsCommandUser' ? string + 'AuthorizedPrincipalsFile' ? string[] + 'Banner' ? string + 'ChrootDirectory' ? string + 'ClientAliveCountMax' ? long(1..) + 'ClientAliveInterval' ? long(0..) + 'DenyGroups' ? string[] + 'DenyUsers' ? string[] + 'ForceCommand' ? string + 'GatewayPorts' ? string with match (SELF, "^(yes|no|clientspecified)$") + 'GSSAPIAuthentication' ? boolean + 'HostbasedAcceptedKeyTypes' ? temp_ssh_hostkeyalgorithms[] + 'HostbasedAuthentication' ? boolean + 'HostbasedUsesNameFromPacketOnly' ? boolean + 'IPQoS' ? string[] with length(SELF) == 1 || length(SELF) == 2 + 'KbdInteractiveAuthentication' ? boolean + 'KerberosAuthentication' ? boolean + 'LogLevel' ? string with match (SELF, "^(QUIET|FATAL|ERROR|INFO|VERBOSE|DEBUG[123]?)$") + 'MaxAuthTries' ? long(1..) + 'MaxSessions' ? long(0..) + 'PasswordAuthentication' ? boolean + 'PermitEmptyPasswords' ? boolean + 'PermitListen' ? string[] # type_hostport would not allow wildcards + 'PermitOpen' ? string[] # type_hostport would not allow wildcards + 'PermitRootLogin' ? string with match (SELF, "^(yes|prohibit-password|without-password|forced-commands-only|no)$") + 'PermitTTY' ? boolean + 'PermitTunnel' ? string with match (SELF, "^(yes|point-to-point|ethernet|no)$") + 'PermitUserRC' ? boolean + 'PubkeyAcceptedKeyTypes' ? temp_ssh_hostkeyalgorithms[] + 'PubkeyAuthentication' ? boolean + 'RekeyLimit' ? string[] with length(SELF) == 1 || length(SELF) == 2 + 'RSAAuthentication' ? boolean + 'RhostsRSAAuthentication' ? boolean + 'RevokedKeys' ? string + 'RDomain' ? string + 'SetEnv' ? string{} + 'StreamLocalBindMask' ? string with match (SELF, "^[0-7]{3,5}$") + 'StreamLocalBindUnlink' ? boolean + 'TrustedUserCAKeys' ? string + 'X11DisplayOffset' ? long(0..) + 'X11Forwarding' ? boolean + 'X11UseLocalHost' ? boolean +}; + +type sshd_config_match = { + "matches" : string[] + include sshd_config_match_opts +}; + +type sshd_config_opts = { + include sshd_config_match_opts + 'AddressFamily' ? string with match (SELF, "^(any|inet|inet6)$") + 'ChallengeResponseAuthentication' ? boolean + 'Ciphers' ? temp_ssh_ciphers[] + 'Compression' ? boolean + 'DisableForwarding' ? boolean + 'ExposeAuthInfo' ? boolean + 'FingerprintHash' ? string with match (SELF, "^(md5|sha256)$") + 'GSSAPICleanupCredentials' ? boolean + 'GSSAPIKeyExchange' ? boolean + 'GSSAPIStrictAcceptorCheck' ? boolean + 'GSSAPIStoreCredentialsOnRekey' ? boolean + 'HostCertificate' ? string + 'HostKey' ? string[] + 'HostKeyAgent' ? string + 'HostKeyAlgorithms' ? temp_ssh_hostkeyalgorithms[] + 'IgnoreRhosts' ? boolean + 'IgnoreUserKnownHosts' ? boolean + 'KerberosGetAFSToken' ? boolean + 'KerberosOrLocalPasswd' ? boolean + 'KerberosTicketCleanup' ? boolean + 'KexAlgorithms' ? temp_ssh_kexalgorithms[] + 'ListenAddress' ? type_hostport[] + 'LoginGraceTime' ? long(0..) + 'MACs' ? temp_ssh_MACs[] + 'Match' ? sshd_config_match[] + 'MaxStartups' ? string with match (SELF, "^[0-9]+(:[0-9]+:[0-9]+)?$") + 'PermitUserEnvironment' ? boolean + 'PidFile' ? absolute_file_path + 'Port' ? long(1..)[] + 'PrintLastLog' ? boolean + 'PrintMotd' ? boolean + 'StrictModes' ? boolean + 'Subsystem' ? string{} + 'SyslogFacility' ? string with match (SELF, "^(DAEMON|USER|AUTH|LOCAL[0-7])$") + 'TCPKeepAlive' ? boolean + 'UseDNS' ? boolean + 'UsePAM' ? boolean + 'VersionAddendum' ? string + 'XAuthLocation' ? absolute_file_path +}; + +type sshd_config_file = { + 'Match' ? sshd_config_match[] + 'main' ? sshd_config_opts +}; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan new file mode 100644 index 0000000000..2f8250e567 --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan @@ -0,0 +1,8 @@ +unique template metaconfig/ssh/server_config; + +include 'metaconfig/ssh/schema'; + +bind "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents" = sshd_config_file; + +prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}"; +"module" = "ssh/server"; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/server.tt b/ncm-metaconfig/src/main/metaconfig/ssh/server.tt new file mode 100644 index 0000000000..b5b6de5124 --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/server.tt @@ -0,0 +1,7 @@ + +[% INCLUDE metaconfig/ssh/server_attrs.tt data=main -%] + +[% FOREACH mt IN Match -%] +Match [% mt.matches.join(' ') %] +[% INCLUDE metaconfig/ssh/server_attrs.tt data=mt FILTER indent %] +[% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt new file mode 100644 index 0000000000..d5288421a8 --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt @@ -0,0 +1,44 @@ +[% spacelist = ['AcceptEnv', 'AllowGroups', 'AllowUsers', 'AuthenticationMethods', 'AuthorizedKeysFile', 'AuthorizedPrincipalsFile', + 'DenyGroups', 'DenyUsers', + 'IPQoS', + 'PermitListen', 'PermitOpen', + 'RekeyLimit' ] -%] +[% commalist = ['Ciphers', 'HostKeyAlgorithms', 'HostbasedAcceptedKeyTypes', 'KexAlgorithms', 'MACs', 'PubkeyAcceptedKeyTypes' ] -%] +[% multilinelist = ['HostKey', 'ListenAddress', 'Port' ] -%] +[% booleans = ['AllowAgentForwarding', + 'ChallengeResponseAuthentication', 'Compression', + 'ExposeAuthInfo', + 'GSSAPIAuthentication', 'GSSAPICleanupCredentials', 'GSSAPIKeyExchange', 'GSSAPIStrictAcceptorCheck', 'GSSAPIStoreCredentialsOnRekey', + 'HostbasedAuthentication', 'HostbasedUsesNameFromPacketOnly', + 'IgnoreRhosts', 'IgnoreUserKnownHosts', + 'KbdInteractiveAuthentication', 'KerberosAuthentication', 'KerberosGetAFSToken', 'KerberosOrLocalPasswd', 'KerberosTicketCleanup', + 'PasswordAuthentication', 'PermitEmptyPasswords', 'PermitRootLogin', 'PermitTTY', 'PermitTunnel', 'PermitUserEnvironment', + 'PermitUserRC', 'PrintLastLog', 'PrintMotd', 'PubkeyAuthentication', + 'StreamLocalBindUnlink', 'StrictModes', + 'TCPKeepAlive', 'UseDNS', 'UsePAM', 'X11Forwarding', 'X11UseLocalhost'] -%] + +[%- FOREACH pair IN data.pairs -%] +[% NEXT IF pair.key == 'matches' -%] +[% SWITCH pair.key -%] +[% CASE booleans -%] +[% pair.key %] [% pair.value ? 'Yes' : 'No' %] +[% CASE spacelist -%] +[% pair.key %] [% pair.value.join(' ') %] +[% CASE commalist -%] +[% pair.key %] [% pair.value.join(',') %] +[% CASE multilinelist -%] +[% FOREACH line IN pair.value -%] +[% pair.key %] [% line %] +[% END -%] +[% CASE 'Subsystem' -%] +[% FOREACH item IN pair.value.pairs -%] +Subsystem [% item.key %] [% item.value %] +[% END -%] +[% CASE 'SetEnv' -%] +[% FOREACH item IN pair.value.pairs -%] +SetEnv [% item.key %]="[% item.value %]" +[% END -%] +[% CASE -%] +[% pair.key %] [% pair.value %] +[% END -%] +[% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_allopts.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_allopts.pan new file mode 100644 index 0000000000..d8d2f5d3cc --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_allopts.pan @@ -0,0 +1,96 @@ +object template server_allopts; + +include 'metaconfig/ssh/server_config'; + +prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents"; + +"main/AcceptEnv" = list("LC_CTYPE", "LANG", "TERM"); +"main/AddressFamily" = "any"; +"main/AllowAgentForwarding" = false; +"main/AllowGroups" = list("wheel"); +"main/AllowStreamLocalForwarding" = "local"; +"main/AllowTcpForwarding" = "local"; +"main/AllowUsers" = list("quattor"); +"main/AuthenticationMethods" = list("any"); +"main/AuthorizedKeysCommand" = "/usr/sbin/key-lookup"; +"main/AuthorizedKeysCommandUser" = "keyuser"; +"main/AuthorizedKeysFile" = list("/etc/ssh/authorized_keys", ".ssh/authorized_keys"); +"main/AuthorizedPrincipalsCommand" = "/usr/sbin/principal-lookup"; +"main/AuthorizedPrincipalsCommandUser" = "princuser"; +"main/AuthorizedPrincipalsFile" = list("/etc/ssh/x509_users", ".ssh/x509_users"); +"main/Banner" = "Configured by Quattor"; +"main/ChallengeResponseAuthentication" = false; +"main/ChrootDirectory" = "/srv/ssh"; +"main/Ciphers" = list("chacha20-poly1305@openssh.com", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc"); +"main/ClientAliveCountMax" = 3; +"main/ClientAliveInterval" = 30; +"main/Compression" = false; +"main/DenyGroups" = list("adm"); +"main/DenyUsers" = list("root"); +"main/DisableForwarding" = false; +"main/ExposeAuthInfo" = false; +"main/FingerprintHash" = "sha256"; +"main/ForceCommand" = "cat /etc/motd"; +"main/GatewayPorts" = "clientspecified"; +"main/GSSAPIAuthentication" = true; +"main/GSSAPICleanupCredentials" = true; +"main/GSSAPIKeyExchange" = true; +"main/GSSAPIStrictAcceptorCheck" = true; +"main/GSSAPIStoreCredentialsOnRekey" = true; +"main/HostbasedAcceptedKeyTypes" = list("-ssh-rsa"); +"main/HostbasedAuthentication" = true; +"main/HostbasedUsesNameFromPacketOnly" = false; +"main/HostCertificate" = "/etc/ssh/ssh_host_cert.pem"; +"main/HostKey" = list("/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_ed25519_key"); +"main/HostKeyAgent" = "/run/ssh/key_agent.socket"; +"main/HostKeyAlgorithms" = list("ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521"); +"main/IPQoS" = list("lowdelay", "throughput"); +"main/IgnoreRhosts" = true; +"main/IgnoreUserKnownHosts" = true; +"main/KbdInteractiveAuthentication" = true; +"main/KerberosAuthentication" = false; +"main/KerberosGetAFSToken" = false; +"main/KerberosOrLocalPasswd" = false; +"main/KerberosTicketCleanup" = true; +"main/KexAlgorithms" = list("ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521"); +"main/ListenAddress" = list("127.0.0.1:22", "192.168.0.1:22", "192.168.0.1:2200"); +"main/LogLevel" = "DEBUG3"; +"main/LoginGraceTime" = 60; +"main/MACs" = list("hmac-sha1-96-etm@openssh.com", "hmac-md5-96-etm@openssh.com"); +"main/MaxAuthTries" = 3; +"main/MaxSessions" = 10; +"main/MaxStartups" = "10:30:100"; +"main/PasswordAuthentication" = false; +"main/PermitEmptyPasswords" = false; +"main/PermitListen" = list("8080", "127.0.0.1:*"); +"main/PermitOpen" = list("8080", "192.168.0.1:*"); +"main/PermitRootLogin" = "prohibit-password"; +"main/PermitTTY" = true; +"main/PermitTunnel" = "point-to-point"; +"main/PermitUserEnvironment" = false; +"main/PermitUserRC" = false; +"main/PidFile" = "/run/sshd.pid"; +"main/Port" = list(22, 2200); +"main/PrintLastLog" = true; +"main/PrintMotd" = true; +"main/PubkeyAcceptedKeyTypes" = list("-ssh-rsa"); +"main/PubkeyAuthentication" = true; +"main/RDomain" = "%D"; +"main/RSAAuthentication" = false; +"main/RekeyLimit" = list("1G", "300s"); +"main/RevokedKeys" = "/etc/ssh/revoked_keys"; +"main/RhostsRSAAuthentication" = false; +"main/SetEnv" = dict("LC_ALL", "C", "TERM", "xterm"); +"main/StreamLocalBindMask" = "0177"; +"main/StreamLocalBindUnlink" = false; +"main/Subsystem" = dict("sftp", "internal-sftp"); +"main/SyslogFacility" = "AUTH"; +"main/TCPKeepAlive" = true; +"main/TrustedUserCAKeys" = "/etc/ssh/trusted_cas"; +"main/UseDNS" = true; +"main/UsePAM" = true; +"main/VersionAddendum" = "extra"; +"main/X11DisplayOffset" = 10; +"main/X11Forwarding" = true; +"main/X11UseLocalHost" = true; +"main/XAuthLocation" = "/usr/bin/xauth"; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan new file mode 100644 index 0000000000..5bf466885f --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan @@ -0,0 +1,17 @@ +object template server_config; + +include 'metaconfig/ssh/server_config'; + +prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents"; + +"main/AddressFamily" = "any"; +"main/Ciphers" = list("aes128-ctr", "aes192-ctr", "aes256-ctr"); +"main/PasswordAuthentication" = false; +"main/Subsystem" = dict("sftp", "internal-sftp"); + +'Match' = append( + dict( + "matches", list("User testuser2", "Address 192.168.0.0/16"), + "PasswordAuthentication", true, + ) + ); diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base new file mode 100644 index 0000000000..363a2985f7 --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base @@ -0,0 +1,99 @@ +Base test for all ssh server config options +--- +/etc/ssh/sshd_config +--- +^AcceptEnv\sLC_CTYPE\sLANG\sTERM$ +^AddressFamily\sany$ +^AllowAgentForwarding\sNo$ +^AllowGroups\swheel$ +^AllowStreamLocalForwarding\slocal$ +^AllowTcpForwarding\slocal$ +^AllowUsers\squattor$ +^AuthenticationMethods\sany$ +^AuthorizedKeysCommand\s/usr/sbin/key-lookup$ +^AuthorizedKeysCommandUser\skeyuser$ +^AuthorizedKeysFile\s/etc/ssh/authorized_keys\s\.ssh/authorized_keys$ +^AuthorizedPrincipalsCommand\s/usr/sbin/principal-lookup$ +^AuthorizedPrincipalsCommandUser\sprincuser$ +^AuthorizedPrincipalsFile\s/etc/ssh/x509_users\s\.ssh/x509_users$ +^Banner\sConfigured by Quattor$ +^ChallengeResponseAuthentication\sNo$ +^ChrootDirectory\s/srv/ssh$ +^Ciphers\schacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc$ +^ClientAliveCountMax\s3$ +^ClientAliveInterval\s30$ +^Compression\sNo$ +^DenyGroups\sadm$ +^DenyUsers\sroot$ +^DisableForwarding\s0$ +^ExposeAuthInfo\sNo$ +^FingerprintHash\ssha256$ +^ForceCommand\scat\s/etc/motd$ +^GSSAPIAuthentication\sYes$ +^GSSAPICleanupCredentials\sYes$ +^GSSAPIKeyExchange\sYes$ +^GSSAPIStoreCredentialsOnRekey\sYes$ +^GSSAPIStrictAcceptorCheck\sYes$ +^GatewayPorts\sclientspecified$ +^HostCertificate\s/etc/ssh/ssh_host_cert.pem$ +^HostKey\s/etc/ssh/ssh_host_rsa_key$ +^HostKey\s/etc/ssh/ssh_host_ed25519_key$ +^HostKeyAgent\s/run/ssh/key_agent\.socket$ +^HostKeyAlgorithms\secdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521$ +^HostbasedAcceptedKeyTypes\s-ssh-rsa$ +^HostbasedAuthentication\sYes$ +^HostbasedUsesNameFromPacketOnly\sNo$ +^IPQoS\slowdelay\sthroughput$ +^IgnoreRhosts\sYes$ +^IgnoreUserKnownHosts\sYes$ +^KbdInteractiveAuthentication\sYes$ +^KerberosAuthentication\sNo$ +^KerberosGetAFSToken\sNo$ +^KerberosOrLocalPasswd\sNo$ +^KerberosTicketCleanup\sYes$ +^KexAlgorithms\secdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521$ +^ListenAddress\s127\.0\.0\.1:22$ +^ListenAddress\s192\.168\.0\.1:22$ +^ListenAddress\s192\.168\.0\.1:2200$ +^LogLevel\sDEBUG3$ +^LoginGraceTime\s60$ +^MACs\shmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com$ +^MaxAuthTries\s3$ +^MaxSessions\s10$ +^MaxStartups\s10:30:100$ +^PasswordAuthentication\sNo$ +^PermitEmptyPasswords\sNo$ +^PermitListen\s8080\s127\.0\.0\.1:\*$ +^PermitOpen\s8080\s192\.168\.0\.1:\*$ +^PermitRootLogin\sYes$ +^PermitTTY\sYes$ +^PermitTunnel\sYes$ +^PermitUserEnvironment\sNo$ +^PermitUserRC\sNo$ +^PidFile\s/run/sshd\.pid$ +^Port\s22$ +^Port\s2200$ +^PrintLastLog\sYes$ +^PrintMotd\sYes$ +^PubkeyAcceptedKeyTypes\s-ssh-rsa$ +^PubkeyAuthentication\sYes$ +^RDomain\s%D$ +^RSAAuthentication\s0$ +^RekeyLimit\s1G\s300s$ +^RevokedKeys\s/etc/ssh/revoked_keys$ +^RhostsRSAAuthentication\s0$ +^SetEnv\sLC_ALL="C"$ +^SetEnv\sTERM="xterm"$ +^StreamLocalBindMask\s0177$ +^StreamLocalBindUnlink\sNo$ +^Subsystem\ssftp\sinternal-sftp$ +^SyslogFacility\sAUTH$ +^TCPKeepAlive\sYes$ +^TrustedUserCAKeys\s/etc/ssh/trusted_cas$ +^UseDNS\sYes$ +^UsePAM\sYes$ +^VersionAddendum\sextra$ +^X11DisplayOffset\s10$ +^X11Forwarding\sYes$ +^X11UseLocalHost\s1$ +^XAuthLocation\s/usr/bin/xauth$ diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base new file mode 100644 index 0000000000..a02fa74943 --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base @@ -0,0 +1,9 @@ +Base test for ssh server config +--- +/etc/ssh/sshd_config +--- +^AddressFamily\sany$ +^Ciphers\saes128-ctr,aes192-ctr,aes256-ctr$ +^PasswordAuthentication\sNo$ +^Match\sUser\stestuser2\sAddress\s192.168.0.0/16$ +^\s{4}PasswordAuthentication\sYes$ From 2a296173c07727ad059376fc3113dfc2616c06ca Mon Sep 17 00:00:00 2001 From: Gabor Gombas Date: Thu, 5 Mar 2020 14:05:50 +0100 Subject: [PATCH 05/14] ncm-metaconfig: ssh: Drop boolean lists Use value.is_boolean instead. --- .../src/main/metaconfig/ssh/client_attrs.tt | 22 ++++--------------- .../src/main/metaconfig/ssh/server_attrs.tt | 17 ++++---------- 2 files changed, 8 insertions(+), 31 deletions(-) diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt b/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt index 3d331f0e3c..d592e3e668 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt @@ -5,28 +5,14 @@ 'MACs', 'PreferredAuthentications', 'PubkeyAcceptedKeyTypes', 'ProxyJump', ] -%] [% multilinelist = ['CertificateFile', 'IdentityFile', 'RevokedHostKeys'] -%] -[% booleans = ['BatchMode', - 'CanonicalizeFallbackLocal', 'ChallengeResponseAuthentication', 'CheckHostIP', 'ClearAllForwardings', 'Compression', - 'EnableSSHKeysign', 'ExitOnForwardFailure', - 'ForwardAgent', 'ForwardX11', 'ForwardX11Trusted', - 'GatewayPorts', 'GSSAPIAuthentication', 'GSSAPIDelegateCredentials', 'GSSAPIKeyExchange', 'GSSAPIRenewalForcesRekey', 'GSSAPITrustDns', - 'HashKnownHosts', 'HostbasedAuthentication', - 'IdentitiesOnly', - 'KbdInteractiveAuthentication', - 'NoHostAuthenticationForLocalhost', - 'PasswordAuthentication', 'PermitLocalCommand', 'ProxyUseFdpass', 'PubkeyAuthentication', - 'RhostsRSAAuthentication', 'RSAAuthentication', - 'StreamLocalBindUnlink', - 'TCPKeepAlive', - 'UsePrivilegedPort', - 'VisualHostKey', - ] -%] [%- FOREACH pair IN data.pairs -%] [% NEXT IF pair.key == 'hostnames' || pair.key == 'matches' -%] +[% IF pair.value.is_boolean -%] +[% pair.key %] [% pair.value ? 'Yes' : 'No' %] +[% NEXT -%] +[% END -%] [% SWITCH pair.key -%] -[% CASE booleans -%] -[% pair.key %] [% pair.value ? 'Yes' : 'No' %] [% CASE spacelist -%] [% pair.key %] [% pair.value.join(' ') %] [% CASE commalist -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt index d5288421a8..cac75a53f4 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt @@ -5,23 +5,14 @@ 'RekeyLimit' ] -%] [% commalist = ['Ciphers', 'HostKeyAlgorithms', 'HostbasedAcceptedKeyTypes', 'KexAlgorithms', 'MACs', 'PubkeyAcceptedKeyTypes' ] -%] [% multilinelist = ['HostKey', 'ListenAddress', 'Port' ] -%] -[% booleans = ['AllowAgentForwarding', - 'ChallengeResponseAuthentication', 'Compression', - 'ExposeAuthInfo', - 'GSSAPIAuthentication', 'GSSAPICleanupCredentials', 'GSSAPIKeyExchange', 'GSSAPIStrictAcceptorCheck', 'GSSAPIStoreCredentialsOnRekey', - 'HostbasedAuthentication', 'HostbasedUsesNameFromPacketOnly', - 'IgnoreRhosts', 'IgnoreUserKnownHosts', - 'KbdInteractiveAuthentication', 'KerberosAuthentication', 'KerberosGetAFSToken', 'KerberosOrLocalPasswd', 'KerberosTicketCleanup', - 'PasswordAuthentication', 'PermitEmptyPasswords', 'PermitRootLogin', 'PermitTTY', 'PermitTunnel', 'PermitUserEnvironment', - 'PermitUserRC', 'PrintLastLog', 'PrintMotd', 'PubkeyAuthentication', - 'StreamLocalBindUnlink', 'StrictModes', - 'TCPKeepAlive', 'UseDNS', 'UsePAM', 'X11Forwarding', 'X11UseLocalhost'] -%] [%- FOREACH pair IN data.pairs -%] [% NEXT IF pair.key == 'matches' -%] +[% IF pair.value.is_boolean -%] +[% pair.key %] [% pair.value ? 'Yes' : 'No' %] +[% NEXT -%] +[% END -%] [% SWITCH pair.key -%] -[% CASE booleans -%] -[% pair.key %] [% pair.value ? 'Yes' : 'No' %] [% CASE spacelist -%] [% pair.key %] [% pair.value.join(' ') %] [% CASE commalist -%] From a136df61837e7e63919a4b4d306b599157dfba50 Mon Sep 17 00:00:00 2001 From: Gabor Gombas Date: Thu, 5 Mar 2020 14:44:56 +0100 Subject: [PATCH 06/14] ncm-metaconfig: ssh: schema updates Re-work some regular expressions to make lines shorter. Add GSSAPIKexAlgorithms and a missing CASignatureAlgorithms setting. --- .../src/main/metaconfig/ssh/pan/schema.pan | 30 +++++++++++++------ 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan index f6d1792732..fdd75b5849 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan @@ -5,19 +5,28 @@ include 'pan/types'; # rename these types to prevent conflicts # we will remove these in an upcoming pr after template-library-core # has been updated with the new types from ncm-ssh -type temp_ssh_ciphers = string with match (SELF, "^[+-]?((blowfish|3des|aes128|aes192|aes256|cast128)-cbc" + - "|(aes128|aes192|aes256)-ctr|arcfour|arcfour(128|256)|(aes128-gcm|aes256-gcm|chacha20-poly1305)@openssh.com)$"); -type temp_ssh_hostkeyalgorithms = string with match(SELF, "^[+-]?(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp(256|384|521)|" + - "(ssh-rsa-cert-v01|ssh-dss-cert-v01|ecdsa-sha2-nistp256-cert-v01|ecdsa-sha2-nistp384-cert-v01|" + - "ecdsa-sha2-nistp521-cert-v01|ssh-rsa-cert-v00|ssh-dss-cert-v00|ssh-ed25519-cert-v01)@openssh.com)$"); +type temp_ssh_ciphers = string with match (SELF, "^[+-]?(" + + "(blowfish|3des|aes(128|192|256)|cast128)-cbc" + + "|aes(128|192|256)-ctr|arcfour|arcfour(128|256)" + + "|aes(128|256)-gcm|chacha20-poly1305)@openssh.com)$"); +type temp_ssh_hostkeyalgorithms = string with match(SELF, "^[+-]?(" + + "ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp(256|384|521)|" + + "(ssh-rsa-cert-v0[01]|ssh-dss-cert-v01|ecdsa-sha2-nistp(256|384|521)-cert-v01|" + + "ssh-dss-cert-v00|ssh-ed25519-cert-v01)@openssh.com)$"); type temp_ssh_kbdinteractivedevices = string with match (SELF, "^(bsdauth|pam|skey)$"); -type temp_ssh_kexalgorithms = string with match (SELF, "^[+-]?(diffie-hellman-group(1-sha1|14-sha1|-exchange-sha1|" + - "-exchange-sha256)|ecdh-sha2-nistp(256|384|521)|curve25519-sha256@libssh.org|gss-gex-sha1-|" + - "gss-group1-sha1-|gss-group14-sha1-)$"); +# Recent versions have distinct GSSAPIKexAlgorithms +type temp_ssh_gss_kexalgorithms = string with match (SELF, "^[+-]?(gss-(gex|group1|group14)-sha1-" + + "|gss-group14-sha256-|gss-group16-sha512-|gss-nistp256-sha256-|gss-curve25519-sha256-)$"); +# Older versions include GSSAPI mechanisms in KEXAlgorithms, but only the SHA1 variants +type temp_ssh_kexalgorithms = string with match (SELF, "^[+-]?(" + + "diffie-hellman-group(1-sha1|14-sha1|-exchange-sha1|-exchange-sha256)" + + "|ecdh-sha2-nistp(256|384|521)|curve25519-sha256@libssh.org" + + "|gss-(gex|group1|group14)-sha1-)$"); type temp_ssh_MACs = string with match(SELF, "^[+-]?(hmac-(sha1|sha1-96|sha2-256|sha2-512|md5|md5-96|ripemd160)|" + "(hmac-ripemd160|umac-64|umac-128|hmac-sha1-etm|hmac-sha1-96-etm|hmac-sha2-256-etm|hmac-sha2-512-etm|" + "hmac-md5-etm|hmac-md5-96-etm|hmac-ripemd160-etm|umac-64-etm|umac-128-etm)@openssh.com)$"); -type temp_ssh_CAAlgorithms = string with match(SELF, "^[+-]?(ecdsa-sha2-nistp(256|384|521)|ssh-ed25519|rsa-sha2-(256|512)|ssh-rsa)$"); +type temp_ssh_CAAlgorithms = string with match(SELF, "^[+-]?(" + + "ecdsa-sha2-nistp(256|384|521)|ssh-ed25519|rsa-sha2-(256|512)|ssh-rsa)$"); type ssh_config_opts = { @@ -60,6 +69,7 @@ type ssh_config_opts = { 'GSSAPIClientIdentity' ? string 'GSSAPIDelegateCredentials' ? boolean 'GSSAPIKeyExchange' ? boolean + 'GSSAPIKexAlgorithms' ? temp_ssh_gss_kexalgorithms[] 'GSSAPIRenewalForcesRekey' ? boolean 'GSSAPIServerIdentity' ? string 'GSSAPITrustDns' ? boolean @@ -205,6 +215,7 @@ type sshd_config_match = { type sshd_config_opts = { include sshd_config_match_opts 'AddressFamily' ? string with match (SELF, "^(any|inet|inet6)$") + 'CASignatureAlgorithms' ? temp_ssh_CAAlgorithms[] 'ChallengeResponseAuthentication' ? boolean 'Ciphers' ? temp_ssh_ciphers[] 'Compression' ? boolean @@ -213,6 +224,7 @@ type sshd_config_opts = { 'FingerprintHash' ? string with match (SELF, "^(md5|sha256)$") 'GSSAPICleanupCredentials' ? boolean 'GSSAPIKeyExchange' ? boolean + 'GSSAPIKexAlgorithms' ? temp_ssh_gss_kexalgorithms[] 'GSSAPIStrictAcceptorCheck' ? boolean 'GSSAPIStoreCredentialsOnRekey' ? boolean 'HostCertificate' ? string From d84602c843ff78bdd4d3bb48ee3c757f8b7a78de Mon Sep 17 00:00:00 2001 From: stdweird Date: Wed, 10 Jun 2020 22:36:39 +0200 Subject: [PATCH 07/14] ncm-metaconfig: ssh: make tests pass --- .../src/main/metaconfig/ssh/pan/schema.pan | 2 +- .../metaconfig/ssh/tests/regexps/client_config/base | 9 +++++---- .../metaconfig/ssh/tests/regexps/server_allopts/base | 12 ++++++------ 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan index fdd75b5849..3525594ff1 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan @@ -8,7 +8,7 @@ include 'pan/types'; type temp_ssh_ciphers = string with match (SELF, "^[+-]?(" + "(blowfish|3des|aes(128|192|256)|cast128)-cbc" + "|aes(128|192|256)-ctr|arcfour|arcfour(128|256)" + - "|aes(128|256)-gcm|chacha20-poly1305)@openssh.com)$"); + "|(aes(128|256)-gcm|chacha20-poly1305)@openssh.com)$"); type temp_ssh_hostkeyalgorithms = string with match(SELF, "^[+-]?(" + "ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp(256|384|521)|" + "(ssh-rsa-cert-v0[01]|ssh-dss-cert-v01|ecdsa-sha2-nistp(256|384|521)-cert-v01|" + diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base index 2274ae0dfe..a66ed426bc 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base @@ -7,22 +7,23 @@ Base test for ssh client config ^IdentityFile\s~/.ssh/identity$ ^IdentityFile\s~/.ssh/id_rsa$ ^IdentityFile\s~/.ssh/id_dsa$ -^ +^$ ^Match\suser\stestuser2\soriginalhost\shostname4$ ^\s{4}BatchMode\sYes$ ^\s{4}ForwardX11\sNo$ ^\s{4}NumberOfPasswordPrompts\s1$ -^ +^$ ^Host\shostname.example.com\shostname4.example.com$ ^\s{4}ProxyCommand\sssh\s-q\s-W\s%h:%p\sgateway.example.com$ ^\s{4}User\stestuser$ -^ +^$ ^Host\shostname2.example.com$ ^\s{4}ProxyCommand\sssh\s-q\s-W\s%h:%p\sgateway2.example.com$ ^\s{4}User\stestuser$ ^\s{4}VerifyHostKeyDNS\sask$ -^ +^$ ^Host\s\*$ ^\s{4}ForwardX11Trusted\sYes$ ^\s{4}GSSAPIAuthentication\sYes$ ^\s{4}SendEnv\sLANG\sLC_CTYPE\sLC_NUMERIC\sLC_TIME\sLC_ALL\sLC_MESSAGES\sLANGUAGE\sXMODIFIERS$ +^$ diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base index 363a2985f7..395717d8f4 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base @@ -25,7 +25,7 @@ Base test for all ssh server config options ^Compression\sNo$ ^DenyGroups\sadm$ ^DenyUsers\sroot$ -^DisableForwarding\s0$ +^DisableForwarding\sNo$ ^ExposeAuthInfo\sNo$ ^FingerprintHash\ssha256$ ^ForceCommand\scat\s/etc/motd$ @@ -65,9 +65,9 @@ Base test for all ssh server config options ^PermitEmptyPasswords\sNo$ ^PermitListen\s8080\s127\.0\.0\.1:\*$ ^PermitOpen\s8080\s192\.168\.0\.1:\*$ -^PermitRootLogin\sYes$ +^PermitRootLogin\sprohibit-password$ ^PermitTTY\sYes$ -^PermitTunnel\sYes$ +^PermitTunnel\spoint-to-point$ ^PermitUserEnvironment\sNo$ ^PermitUserRC\sNo$ ^PidFile\s/run/sshd\.pid$ @@ -78,10 +78,10 @@ Base test for all ssh server config options ^PubkeyAcceptedKeyTypes\s-ssh-rsa$ ^PubkeyAuthentication\sYes$ ^RDomain\s%D$ -^RSAAuthentication\s0$ +^RSAAuthentication\sNo$ ^RekeyLimit\s1G\s300s$ ^RevokedKeys\s/etc/ssh/revoked_keys$ -^RhostsRSAAuthentication\s0$ +^RhostsRSAAuthentication\sNo$ ^SetEnv\sLC_ALL="C"$ ^SetEnv\sTERM="xterm"$ ^StreamLocalBindMask\s0177$ @@ -95,5 +95,5 @@ Base test for all ssh server config options ^VersionAddendum\sextra$ ^X11DisplayOffset\s10$ ^X11Forwarding\sYes$ -^X11UseLocalHost\s1$ +^X11UseLocalHost\sYes$ ^XAuthLocation\s/usr/bin/xauth$ From e1d6bec8752ae2ad9f2811342b363fb706b89803 Mon Sep 17 00:00:00 2001 From: stdweird Date: Wed, 10 Jun 2020 22:37:01 +0200 Subject: [PATCH 08/14] ncm-metaconfig: ssh: set daemons and test command for server config --- ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan index 2f8250e567..4283933c31 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan @@ -6,3 +6,5 @@ bind "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents" prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}"; "module" = "ssh/server"; +"commands/test" = "/usr/sbin/sshd -t -f /dev/stdin"; +"daemons/sshd" = "restart"; From d6917b9d16422faab1b5aeac7ff47ac9dcb633a7 Mon Sep 17 00:00:00 2001 From: stdweird Date: Wed, 10 Jun 2020 22:42:28 +0200 Subject: [PATCH 09/14] ncm-metaconfig: ssh: cleanup TT files a bit --- .../src/main/metaconfig/ssh/client_attrs.tt | 31 ++++++++-------- .../src/main/metaconfig/ssh/server_attrs.tt | 35 +++++++++---------- 2 files changed, 30 insertions(+), 36 deletions(-) diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt b/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt index d592e3e668..35be7df939 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt @@ -1,22 +1,12 @@ -[% spacelist = ['SendEnv', 'GlobalKnownHostsFile', 'IgnoreUnknown', 'Include', 'UserKnownHostsFile' ] -%] -[% commalist = ['CASignatureAlgorithms', 'CanonicalDomains', 'CanonicalizePermittedCNAMEs', 'Ciphers', - 'GSSAPIKexAlgorithms', 'HostbasedKeyTypes','HostKeyAlgorithms', - 'KbdInteractiveDevices', 'KexAlgorithms', 'KbdInteractiveDevices', - 'MACs', 'PreferredAuthentications', 'PubkeyAcceptedKeyTypes', 'ProxyJump', - ] -%] -[% multilinelist = ['CertificateFile', 'IdentityFile', 'RevokedHostKeys'] -%] - +[% # different forms of list handling, default for list type is comma separated + spacelist = ['SendEnv', 'GlobalKnownHostsFile', 'IgnoreUnknown', 'Include', 'UserKnownHostsFile' ]; + multilinelist = ['CertificateFile', 'IdentityFile', 'RevokedHostKeys']; + -%] [%- FOREACH pair IN data.pairs -%] -[% NEXT IF pair.key == 'hostnames' || pair.key == 'matches' -%] -[% IF pair.value.is_boolean -%] -[% pair.key %] [% pair.value ? 'Yes' : 'No' %] -[% NEXT -%] -[% END -%] [% SWITCH pair.key -%] +[% CASE ['hostnames', 'matches'] %][% # Do nothing -%] [% CASE spacelist -%] [% pair.key %] [% pair.value.join(' ') %] -[% CASE commalist -%] -[% pair.key %] [% pair.value.join(',') %] [% CASE multilinelist -%] [% FOREACH line IN pair.value -%] [% pair.key %] [% line %] @@ -26,6 +16,13 @@ SetEnv [% item.key %]="[% item.value %]" [% END -%] [% CASE -%] -[% pair.key %] [% pair.value %] -[% END -%] +[% pair.key %] [% -%] +[% IF pair.value.is_boolean -%] +[% pair.value ? 'Yes' : 'No' -%] +[% ELSIF CCM.is_list(pair.value) -%] +[% pair.value.join(',') -%] +[% ELSE -%] +[% pair.value -%] +[% END -%] +[% END %] [% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt index cac75a53f4..128a78eb0b 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt @@ -1,20 +1,10 @@ -[% spacelist = ['AcceptEnv', 'AllowGroups', 'AllowUsers', 'AuthenticationMethods', 'AuthorizedKeysFile', 'AuthorizedPrincipalsFile', - 'DenyGroups', 'DenyUsers', - 'IPQoS', - 'PermitListen', 'PermitOpen', - 'RekeyLimit' ] -%] -[% commalist = ['Ciphers', 'HostKeyAlgorithms', 'HostbasedAcceptedKeyTypes', 'KexAlgorithms', 'MACs', 'PubkeyAcceptedKeyTypes' ] -%] -[% multilinelist = ['HostKey', 'ListenAddress', 'Port' ] -%] - +[% # different forms of list handling, default for list type is space separated + commalist = ['Ciphers', 'HostKeyAlgorithms', 'HostbasedAcceptedKeyTypes', 'KexAlgorithms', 'MACs', 'PubkeyAcceptedKeyTypes' ]; + multilinelist = ['HostKey', 'ListenAddress', 'Port' ] + -%] [%- FOREACH pair IN data.pairs -%] -[% NEXT IF pair.key == 'matches' -%] -[% IF pair.value.is_boolean -%] -[% pair.key %] [% pair.value ? 'Yes' : 'No' %] -[% NEXT -%] -[% END -%] [% SWITCH pair.key -%] -[% CASE spacelist -%] -[% pair.key %] [% pair.value.join(' ') %] +[% CASE 'matches' %][% # do nothing -%] [% CASE commalist -%] [% pair.key %] [% pair.value.join(',') %] [% CASE multilinelist -%] @@ -23,13 +13,20 @@ [% END -%] [% CASE 'Subsystem' -%] [% FOREACH item IN pair.value.pairs -%] -Subsystem [% item.key %] [% item.value %] +Subsystem [% item.key %] [% item.value %] [% END -%] [% CASE 'SetEnv' -%] [% FOREACH item IN pair.value.pairs -%] -SetEnv [% item.key %]="[% item.value %]" +SetEnv [% item.key %]="[% item.value %]" [% END -%] [% CASE -%] -[% pair.key %] [% pair.value %] -[% END -%] +[% pair.key %] [% -%] +[% IF pair.value.is_boolean -%] +[% pair.value ? 'Yes' : 'No' -%] +[% ELSIF CCM.is_list(pair.value) -%] +[% pair.value.join(' ') -%] +[% ELSE -%] +[% pair.value -%] +[% END -%] +[% END %] [% END -%] From 59801ec5037c818ec40b350a987baffc4470d78a Mon Sep 17 00:00:00 2001 From: stdweird Date: Wed, 10 Jun 2020 22:46:39 +0200 Subject: [PATCH 10/14] ncm-metaconfig: ssh: use lowercase yes/no for boolean (cfr the man pages) --- .../src/main/metaconfig/ssh/client_attrs.tt | 2 +- .../src/main/metaconfig/ssh/server_attrs.tt | 2 +- .../ssh/tests/regexps/client_allopts/base | 64 ++++++++--------- .../ssh/tests/regexps/client_config/base | 8 +-- .../ssh/tests/regexps/server_allopts/base | 70 +++++++++---------- .../ssh/tests/regexps/server_config/base | 4 +- 6 files changed, 75 insertions(+), 75 deletions(-) diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt b/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt index 35be7df939..675893d00e 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt @@ -18,7 +18,7 @@ SetEnv [% item.key %]="[% item.value %]" [% CASE -%] [% pair.key %] [% -%] [% IF pair.value.is_boolean -%] -[% pair.value ? 'Yes' : 'No' -%] +[% pair.value ? 'yes' : 'no' -%] [% ELSIF CCM.is_list(pair.value) -%] [% pair.value.join(',') -%] [% ELSE -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt index 128a78eb0b..55e06d34d1 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt @@ -22,7 +22,7 @@ SetEnv [% item.key %]="[% item.value %]" [% CASE -%] [% pair.key %] [% -%] [% IF pair.value.is_boolean -%] -[% pair.value ? 'Yes' : 'No' -%] +[% pair.value ? 'yes' : 'no' -%] [% ELSIF CCM.is_list(pair.value) -%] [% pair.value.join(' ') -%] [% ELSE -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base index d197462f98..bc7c873a04 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base @@ -4,21 +4,21 @@ Base test for all ssh client config options --- ^AddKeysToAgent\sconfirm$ ^AddressFamily\sany$ -^BatchMode\sYes$ +^BatchMode\syes$ ^BindAddress\s192\.168\.1\.1$ ^CASignatureAlgorithms\sssh-ed25519,rsa-sha2-512$ ^CanonicalDomains\s\.com,\.eu$ -^CanonicalizeFallbackLocal\sYes$ +^CanonicalizeFallbackLocal\syes$ ^CanonicalizeHostname\salways$ ^CanonicalizePermittedCNAMEs\s\*\.a\.example\.com:\*\.b\.example\.com,\*\.c\.example\.com$ ^CertificateFile\s/absolute/path$ ^CertificateFile\s~/home/relative$ -^ChallengeResponseAuthentication\sNo$ -^CheckHostIP\sYes$ +^ChallengeResponseAuthentication\sno$ +^CheckHostIP\syes$ ^Cipher\s3des$ ^Ciphers\schacha20-poly1305@openssh\.com,arcfour256,arcfour128,aes128-cbc,3des-cbc$ -^ClearAllForwardings\sYes$ -^Compression\sNo$ +^ClearAllForwardings\syes$ +^Compression\sno$ ^CompressionLevel\s7$ ^ConnectTimeout\s10$ ^ConnectionAttempts\s3$ @@ -26,80 +26,80 @@ Base test for all ssh client config options ^ControlPath\s%l%h%p%r$ ^ControlPersist\sno$ ^DynamicForward\s192\.168\.1\.2$ -^EnableSSHKeysign\sYes$ +^EnableSSHKeysign\syes$ ^EscapeChar\s~$ -^ExitOnForwardFailure\sYes$ +^ExitOnForwardFailure\syes$ ^FingerprintHash\ssha256$ -^ForwardAgent\sYes$ -^ForwardX11\sNo$ +^ForwardAgent\syes$ +^ForwardX11\sno$ ^ForwardX11Timeout\s10$ -^ForwardX11Trusted\sNo$ -^GSSAPIAuthentication\sNo$ +^ForwardX11Trusted\sno$ +^GSSAPIAuthentication\sno$ ^GSSAPIClientIdentity\scustom$ -^GSSAPIDelegateCredentials\sNo$ -^GSSAPIKeyExchange\sYes$ -^GSSAPIRenewalForcesRekey\sYes$ +^GSSAPIDelegateCredentials\sno$ +^GSSAPIKeyExchange\syes$ +^GSSAPIRenewalForcesRekey\syes$ ^GSSAPIServerIdentity\sserver@principal$ -^GSSAPITrustDns\sNo$ -^GatewayPorts\sNo$ +^GSSAPITrustDns\sno$ +^GatewayPorts\sno$ ^GlobalKnownHostsFile\s/etc/ssh/ssh_known_hosts\s/etc/ssh/ssh_known_hosts2$ -^HashKnownHosts\sNo$ +^HashKnownHosts\sno$ ^HostKeyAlgorithms\sssh-rsa-cert-v01@openssh\.com,ssh-dss-cert-v01@openssh\.com$ ^HostKeyAlias\shostname2$ ^HostName\s%h$ -^HostbasedAuthentication\sYes$ +^HostbasedAuthentication\syes$ ^HostbasedKeyTypes\s\*$ ^IPQoS\sthroughput$ -^IdentitiesOnly\sYes$ +^IdentitiesOnly\syes$ ^IdentityAgent\snone$ ^IdentityFile\s~/\.ssh/identity$ ^IdentityFile\s~/\.ssh/id_rsa$ ^IdentityFile\s~/\.ssh/id_dsa$ ^IgnoreUnknown\sIPQoS\sKbdInteractiveAuthentication$ ^Include\s/absolute/path\s~/home/relative\ssshconf_relative$ -^KbdInteractiveAuthentication\sYes$ +^KbdInteractiveAuthentication\syes$ ^KbdInteractiveDevices\spam,skey$ ^KexAlgorithms\secdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521$ ^LocalCommand\sls$ ^LocalForward\s\*$ ^LogLevel\sDEBUG3$ ^MACs\shmac-sha1-96-etm@openssh\.com,hmac-md5-96-etm@openssh\.com$ -^NoHostAuthenticationForLocalhost\sYes$ +^NoHostAuthenticationForLocalhost\syes$ ^NumberOfPasswordPrompts\s9$ ^PKCS11Provider\s/usr/lib/opensc-pkcs11\.so$ -^PasswordAuthentication\sNo$ -^PermitLocalCommand\sNo$ +^PasswordAuthentication\sno$ +^PermitLocalCommand\sno$ ^Port\s22$ ^PreferredAuthentications\sgssapi-with-mic,hostbased,publickey$ ^Protocol\s2$ ^ProxyCommand\sssh\s-q\s-W\s%h:%p\sgateway\.example\.com$ ^ProxyJump\suser1@host1,user2@host2$ -^ProxyUseFdpass\sNo$ +^ProxyUseFdpass\sno$ ^PubkeyAcceptedKeyTypes\s-ssh-rsa$ -^PubkeyAuthentication\sYes$ -^RSAAuthentication\sYes$ +^PubkeyAuthentication\syes$ +^RSAAuthentication\syes$ ^RekeyLimit\s1G$ ^RemoteCommand\scat /etc/motd$ ^RemoteForward\s\*$ ^RequestTTY\sforce$ ^RevokedHostKeys\s~/\.ssh/revokedkeys\.txt$ -^RhostsRSAAuthentication\sYes$ +^RhostsRSAAuthentication\syes$ ^SendEnv\sLANG\sLC_CTYPE\sLC_NUMERIC\sLC_TIME$ ^ServerAliveCountMax\s4$ ^ServerAliveInterval\s0$ ^SetEnv\sLC_ALL="C"$ ^SetEnv\sTERM="xterm"$ ^StreamLocalBindMask\s0177$ -^StreamLocalBindUnlink\sNo$ +^StreamLocalBindUnlink\sno$ ^StrictHostKeyChecking\sask$ ^SyslogFacility\sLOCAL1$ -^TCPKeepAlive\sYes$ +^TCPKeepAlive\syes$ ^Tunnel\sethernet$ ^TunnelDevice\stun0$ ^UpdateHostKeys\sask$ -^UsePrivilegedPort\sNo$ +^UsePrivilegedPort\sno$ ^User\stestuser$ ^UserKnownHostsFile\s~/\.ssh/known_hosts\s~/\.ssh/known_hosts2$ ^VerifyHostKeyDNS\sask$ -^VisualHostKey\sYes$ +^VisualHostKey\syes$ ^XAuthLocation\s/usr/X11R6/bin/xauth$ diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base index a66ed426bc..2e23afae62 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base @@ -9,8 +9,8 @@ Base test for ssh client config ^IdentityFile\s~/.ssh/id_dsa$ ^$ ^Match\suser\stestuser2\soriginalhost\shostname4$ -^\s{4}BatchMode\sYes$ -^\s{4}ForwardX11\sNo$ +^\s{4}BatchMode\syes$ +^\s{4}ForwardX11\sno$ ^\s{4}NumberOfPasswordPrompts\s1$ ^$ ^Host\shostname.example.com\shostname4.example.com$ @@ -23,7 +23,7 @@ Base test for ssh client config ^\s{4}VerifyHostKeyDNS\sask$ ^$ ^Host\s\*$ -^\s{4}ForwardX11Trusted\sYes$ -^\s{4}GSSAPIAuthentication\sYes$ +^\s{4}ForwardX11Trusted\syes$ +^\s{4}GSSAPIAuthentication\syes$ ^\s{4}SendEnv\sLANG\sLC_CTYPE\sLC_NUMERIC\sLC_TIME\sLC_ALL\sLC_MESSAGES\sLANGUAGE\sXMODIFIERS$ ^$ diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base index 395717d8f4..53edd24c04 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base @@ -4,7 +4,7 @@ Base test for all ssh server config options --- ^AcceptEnv\sLC_CTYPE\sLANG\sTERM$ ^AddressFamily\sany$ -^AllowAgentForwarding\sNo$ +^AllowAgentForwarding\sno$ ^AllowGroups\swheel$ ^AllowStreamLocalForwarding\slocal$ ^AllowTcpForwarding\slocal$ @@ -17,23 +17,23 @@ Base test for all ssh server config options ^AuthorizedPrincipalsCommandUser\sprincuser$ ^AuthorizedPrincipalsFile\s/etc/ssh/x509_users\s\.ssh/x509_users$ ^Banner\sConfigured by Quattor$ -^ChallengeResponseAuthentication\sNo$ +^ChallengeResponseAuthentication\sno$ ^ChrootDirectory\s/srv/ssh$ ^Ciphers\schacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc$ ^ClientAliveCountMax\s3$ ^ClientAliveInterval\s30$ -^Compression\sNo$ +^Compression\sno$ ^DenyGroups\sadm$ ^DenyUsers\sroot$ -^DisableForwarding\sNo$ -^ExposeAuthInfo\sNo$ +^DisableForwarding\sno$ +^ExposeAuthInfo\sno$ ^FingerprintHash\ssha256$ ^ForceCommand\scat\s/etc/motd$ -^GSSAPIAuthentication\sYes$ -^GSSAPICleanupCredentials\sYes$ -^GSSAPIKeyExchange\sYes$ -^GSSAPIStoreCredentialsOnRekey\sYes$ -^GSSAPIStrictAcceptorCheck\sYes$ +^GSSAPIAuthentication\syes$ +^GSSAPICleanupCredentials\syes$ +^GSSAPIKeyExchange\syes$ +^GSSAPIStoreCredentialsOnRekey\syes$ +^GSSAPIStrictAcceptorCheck\syes$ ^GatewayPorts\sclientspecified$ ^HostCertificate\s/etc/ssh/ssh_host_cert.pem$ ^HostKey\s/etc/ssh/ssh_host_rsa_key$ @@ -41,16 +41,16 @@ Base test for all ssh server config options ^HostKeyAgent\s/run/ssh/key_agent\.socket$ ^HostKeyAlgorithms\secdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521$ ^HostbasedAcceptedKeyTypes\s-ssh-rsa$ -^HostbasedAuthentication\sYes$ -^HostbasedUsesNameFromPacketOnly\sNo$ +^HostbasedAuthentication\syes$ +^HostbasedUsesNameFromPacketOnly\sno$ ^IPQoS\slowdelay\sthroughput$ -^IgnoreRhosts\sYes$ -^IgnoreUserKnownHosts\sYes$ -^KbdInteractiveAuthentication\sYes$ -^KerberosAuthentication\sNo$ -^KerberosGetAFSToken\sNo$ -^KerberosOrLocalPasswd\sNo$ -^KerberosTicketCleanup\sYes$ +^IgnoreRhosts\syes$ +^IgnoreUserKnownHosts\syes$ +^KbdInteractiveAuthentication\syes$ +^KerberosAuthentication\sno$ +^KerberosGetAFSToken\sno$ +^KerberosOrLocalPasswd\sno$ +^KerberosTicketCleanup\syes$ ^KexAlgorithms\secdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521$ ^ListenAddress\s127\.0\.0\.1:22$ ^ListenAddress\s192\.168\.0\.1:22$ @@ -61,39 +61,39 @@ Base test for all ssh server config options ^MaxAuthTries\s3$ ^MaxSessions\s10$ ^MaxStartups\s10:30:100$ -^PasswordAuthentication\sNo$ -^PermitEmptyPasswords\sNo$ +^PasswordAuthentication\sno$ +^PermitEmptyPasswords\sno$ ^PermitListen\s8080\s127\.0\.0\.1:\*$ ^PermitOpen\s8080\s192\.168\.0\.1:\*$ ^PermitRootLogin\sprohibit-password$ -^PermitTTY\sYes$ +^PermitTTY\syes$ ^PermitTunnel\spoint-to-point$ -^PermitUserEnvironment\sNo$ -^PermitUserRC\sNo$ +^PermitUserEnvironment\sno$ +^PermitUserRC\sno$ ^PidFile\s/run/sshd\.pid$ ^Port\s22$ ^Port\s2200$ -^PrintLastLog\sYes$ -^PrintMotd\sYes$ +^PrintLastLog\syes$ +^PrintMotd\syes$ ^PubkeyAcceptedKeyTypes\s-ssh-rsa$ -^PubkeyAuthentication\sYes$ +^PubkeyAuthentication\syes$ ^RDomain\s%D$ -^RSAAuthentication\sNo$ +^RSAAuthentication\sno$ ^RekeyLimit\s1G\s300s$ ^RevokedKeys\s/etc/ssh/revoked_keys$ -^RhostsRSAAuthentication\sNo$ +^RhostsRSAAuthentication\sno$ ^SetEnv\sLC_ALL="C"$ ^SetEnv\sTERM="xterm"$ ^StreamLocalBindMask\s0177$ -^StreamLocalBindUnlink\sNo$ +^StreamLocalBindUnlink\sno$ ^Subsystem\ssftp\sinternal-sftp$ ^SyslogFacility\sAUTH$ -^TCPKeepAlive\sYes$ +^TCPKeepAlive\syes$ ^TrustedUserCAKeys\s/etc/ssh/trusted_cas$ -^UseDNS\sYes$ -^UsePAM\sYes$ +^UseDNS\syes$ +^UsePAM\syes$ ^VersionAddendum\sextra$ ^X11DisplayOffset\s10$ -^X11Forwarding\sYes$ -^X11UseLocalHost\sYes$ +^X11Forwarding\syes$ +^X11UseLocalHost\syes$ ^XAuthLocation\s/usr/bin/xauth$ diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base index a02fa74943..e52e2ac921 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base @@ -4,6 +4,6 @@ Base test for ssh server config --- ^AddressFamily\sany$ ^Ciphers\saes128-ctr,aes192-ctr,aes256-ctr$ -^PasswordAuthentication\sNo$ +^PasswordAuthentication\sno$ ^Match\sUser\stestuser2\sAddress\s192.168.0.0/16$ -^\s{4}PasswordAuthentication\sYes$ +^\s{4}PasswordAuthentication\syes$ From e285b6519ba5591ef90d3cb38735bc7e81356ffd Mon Sep 17 00:00:00 2001 From: stdweird Date: Wed, 10 Jun 2020 23:43:36 +0200 Subject: [PATCH 11/14] ncm-metaconfig: ssh: add more structure to Match --- .../src/main/metaconfig/ssh/client.tt | 2 +- .../src/main/metaconfig/ssh/match.tt | 8 +++++ .../src/main/metaconfig/ssh/pan/schema.pan | 36 +++++++++++++++++-- .../src/main/metaconfig/ssh/server.tt | 2 +- .../src/main/metaconfig/ssh/server_attrs.tt | 2 +- .../ssh/tests/profiles/client_config.pan | 22 +++++++----- .../ssh/tests/profiles/server_config.pan | 16 +++++---- .../ssh/tests/regexps/client_config/base | 2 +- .../ssh/tests/regexps/server_config/base | 4 ++- 9 files changed, 71 insertions(+), 23 deletions(-) create mode 100644 ncm-metaconfig/src/main/metaconfig/ssh/match.tt diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/client.tt b/ncm-metaconfig/src/main/metaconfig/ssh/client.tt index a84b09c55b..6184e62512 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/client.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/client.tt @@ -2,7 +2,7 @@ [% INCLUDE metaconfig/ssh/client_attrs.tt data=main -%] [% FOREACH mt IN Match -%] -Match [% mt.matches.join(' ') %] +[% INCLUDE metaconfig/ssh/match.tt %] [% INCLUDE metaconfig/ssh/client_attrs.tt data=mt FILTER indent %] [% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/match.tt b/ncm-metaconfig/src/main/metaconfig/ssh/match.tt new file mode 100644 index 0000000000..4544e0509b --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/match.tt @@ -0,0 +1,8 @@ +Match[% -%] +[% FOREACH pair IN mt.criteria.pairs -%] +[% IF pair.value.is_boolean -%] + [% pair.key -%] +[% ELSE -%] + [% pair.key %] [% CCM.is_list(pair.value) ? pair.value.join(',') : pair.value -%] +[% END -%] +[% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan index 3525594ff1..31d7b38267 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan @@ -135,13 +135,27 @@ type ssh_config_opts = { type ssh_config_host = { "hostnames" : string[] include ssh_config_opts +}; +type ssh_config_match_criteria = { + "all" ? boolean with SELF + "canonical" ? boolean with SELF + "final" ? boolean with SELF + "user" ? string[] + "localuser" ? string[] + "host" ? string[] + "originalhost" ? string[] + "exec" ? string +} with { + if (exists(SELF['all']) && length(SELF) > 1) { + error('You can only set all, no other options allowed'); + }; + true; }; type ssh_config_match = { - "matches" : string[] + "criteria" : ssh_config_match_criteria with length(SELF) > 0 include ssh_config_opts - }; type ssh_config_file = { @@ -207,8 +221,24 @@ type sshd_config_match_opts = { 'X11UseLocalHost' ? boolean }; +type sshd_config_match_criteria = { + "All" ? boolean with SELF + "User" ? string[] + "Group" ? string[] + "Host" ? string[] + "LocalAddress" ? string[] + "LocalPort" ? string[] + "RDomain" ? string[] + "Address" ? string[] +} with { + if (exists(SELF['All']) && length(SELF) > 1) { + error('You can only set All, no other options allowed'); + }; + true; +}; + type sshd_config_match = { - "matches" : string[] + "criteria" : sshd_config_match_criteria with length(SELF) > 0 include sshd_config_match_opts }; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/server.tt b/ncm-metaconfig/src/main/metaconfig/ssh/server.tt index b5b6de5124..c33d9f7c39 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/server.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/server.tt @@ -2,6 +2,6 @@ [% INCLUDE metaconfig/ssh/server_attrs.tt data=main -%] [% FOREACH mt IN Match -%] -Match [% mt.matches.join(' ') %] +[% INCLUDE metaconfig/ssh/match.tt %] [% INCLUDE metaconfig/ssh/server_attrs.tt data=mt FILTER indent %] [% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt index 55e06d34d1..e362e817f7 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt @@ -4,7 +4,7 @@ -%] [%- FOREACH pair IN data.pairs -%] [% SWITCH pair.key -%] -[% CASE 'matches' %][% # do nothing -%] +[% CASE 'criteria' %][% # do nothing -%] [% CASE commalist -%] [% pair.key %] [% pair.value.join(',') %] [% CASE multilinelist -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan index d71286553a..189cf65c1f 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan @@ -8,14 +8,17 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents" "main/IdentityFile" = list("~/.ssh/identity", "~/.ssh/id_rsa", "~/.ssh/id_dsa"); "main/Ciphers" = list("aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc"); -'Match' = append( - dict( - "matches", list("user testuser2", "originalhost hostname4"), - "ForwardX11", false, - "BatchMode", true, - "NumberOfPasswordPrompts", 1, - ) - ); +'Match/0' = dict( + "ForwardX11", false, + "BatchMode", true, + "NumberOfPasswordPrompts", 1, +); +'Match/0/criteria' = dict( + "user", list("testuser2"), + "originalhost", list("hostname4"), + "exec", "/a/b/c", + "canonical", true, +); 'Host' = append( dict( @@ -41,7 +44,8 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents" "hostnames", list("*"), "GSSAPIAuthentication", true, "ForwardX11Trusted", true, - "SendEnv", list("LANG", "LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_ALL", "LC_MESSAGES", "LANGUAGE", "XMODIFIERS"), + "SendEnv", list("LANG", "LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_ALL", + "LC_MESSAGES", "LANGUAGE", "XMODIFIERS"), ) ); diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan index 5bf466885f..59e94d3b52 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan @@ -9,9 +9,13 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents "main/PasswordAuthentication" = false; "main/Subsystem" = dict("sftp", "internal-sftp"); -'Match' = append( - dict( - "matches", list("User testuser2", "Address 192.168.0.0/16"), - "PasswordAuthentication", true, - ) - ); +"Match/0/criteria" = dict( + "User", list("testuser2"), + "Address", list("192.168.0.0/16", "!192.168.10.0/24"), + ); +"Match/0/PasswordAuthentication" = true; + +"Match/1/criteria" = dict( + "All", true, + ); +"Match/1/PasswordAuthentication" = false; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base index 2e23afae62..2eea216f04 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base @@ -8,7 +8,7 @@ Base test for ssh client config ^IdentityFile\s~/.ssh/id_rsa$ ^IdentityFile\s~/.ssh/id_dsa$ ^$ -^Match\suser\stestuser2\soriginalhost\shostname4$ +^Match\scanonical\sexec\s/a/b/c\soriginalhost\shostname4\suser\stestuser2$ ^\s{4}BatchMode\syes$ ^\s{4}ForwardX11\sno$ ^\s{4}NumberOfPasswordPrompts\s1$ diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base index e52e2ac921..1e6466e7f8 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base @@ -5,5 +5,7 @@ Base test for ssh server config ^AddressFamily\sany$ ^Ciphers\saes128-ctr,aes192-ctr,aes256-ctr$ ^PasswordAuthentication\sno$ -^Match\sUser\stestuser2\sAddress\s192.168.0.0/16$ +^Match\sAddress\s192.168.0.0/16,!192.168.10.0/24\sUser\stestuser2$ ^\s{4}PasswordAuthentication\syes$ +^Match\sAll$ +^\s{4}PasswordAuthentication\sno$ From 8cda5aea52f3e65dce0d8a0c4db135a8fff76f1b Mon Sep 17 00:00:00 2001 From: stdweird Date: Thu, 11 Jun 2020 10:31:38 +0200 Subject: [PATCH 12/14] ncm-metaconfig: ssh: register sshd test from stdin command --- .../src/main/metaconfig/ssh/pan/server_config.pan | 8 ++++++-- .../main/metaconfig/ssh/tests/profiles/server_config.pan | 6 ++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan index 4283933c31..609366d2d0 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan @@ -4,7 +4,11 @@ include 'metaconfig/ssh/schema'; bind "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents" = sshd_config_file; -prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}"; +prefix "/software/components/metaconfig"; + +final "commands/sshd_test_stdin" = "/usr/sbin/sshd -t -f /dev/stdin"; + +prefix "services/{/etc/ssh/sshd_config}"; "module" = "ssh/server"; -"commands/test" = "/usr/sbin/sshd -t -f /dev/stdin"; +"actions/test" = "sshd_test_stdin"; "daemons/sshd" = "restart"; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan index 59e94d3b52..31082acf6f 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan @@ -1,5 +1,11 @@ object template server_config; +# add this to test the actions/commands to trigger the main metaconfig bind +function pkg_repl = { null; }; +include 'components/metaconfig/config'; +# remove the dependencies +'/software/components/metaconfig/dependencies' = null; + include 'metaconfig/ssh/server_config'; prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents"; From b1d707ade7148bc9426f8a348ccf49b248d52858 Mon Sep 17 00:00:00 2001 From: stdweird Date: Thu, 11 Jun 2020 14:01:37 +0200 Subject: [PATCH 13/14] ncm-metaconfig: ssh: support AUTHPRIV SyslogFacility --- ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan index 31d7b38267..8351b927c6 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan @@ -119,7 +119,7 @@ type ssh_config_opts = { 'StreamLocalBindMask' ? string 'StreamLocalBindUnlink' ? boolean 'StrictHostKeyChecking' ? string with match (SELF, "^(yes|no|ask)$") - 'SyslogFacility' ? string with match(SELF, "^(DAEMON|USER|AUTH|LOCAL[0-7])$") + 'SyslogFacility' ? string with match(SELF, "^(DAEMON|USER|AUTH(PRIV)?|LOCAL[0-7])$") 'TCPKeepAlive' ? boolean 'Tunnel' ? string with match (SELF, "^(yes|no|point-to-point|ethernet)$") 'TunnelDevice' ? string From 41d25cb69689bc56647c93ea2137f2ecbbc57b25 Mon Sep 17 00:00:00 2001 From: stdweird Date: Thu, 11 Jun 2020 14:02:03 +0200 Subject: [PATCH 14/14] ncm-metaconfig: ssh: replace final with bind magic to fix sshd_test_stdin --- .../src/main/metaconfig/ssh/pan/server_config.pan | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan index 609366d2d0..2e1d20c2e3 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan @@ -4,11 +4,11 @@ include 'metaconfig/ssh/schema'; bind "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents" = sshd_config_file; -prefix "/software/components/metaconfig"; +# since final locks the whole path, bind it to a fix value and set it as default too +bind "/software/components/metaconfig/commands/sshd_test_stdin" = + string = "/usr/sbin/sshd -t -f /dev/stdin" with SELF == "/usr/sbin/sshd -t -f /dev/stdin"; -final "commands/sshd_test_stdin" = "/usr/sbin/sshd -t -f /dev/stdin"; - -prefix "services/{/etc/ssh/sshd_config}"; +prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}"; "module" = "ssh/server"; "actions/test" = "sshd_test_stdin"; "daemons/sshd" = "restart";