From 1c936bb38d39b238001364e1a7ee5479bdfff053 Mon Sep 17 00:00:00 2001 From: Dominic Cleal Date: Fri, 12 Jun 2015 11:01:57 +0100 Subject: [PATCH] Sshd: revert Sshd module to 1.1.0-compatible, add Sshd_140 In order to keep the default sshd config lens compatible with 1.1.0, the lens from 1.4.0 has been kept in the Sshd_140 module and is not loaded by default. Use aug_transform, augtool --transform etc. to use it instead of Sshd. --- lenses/sshd.aug | 52 +++++------- lenses/sshd_140.aug | 141 +++++++++++++++++++++++++++++++++ lenses/tests/test_sshd.aug | 56 ------------- lenses/tests/test_sshd_140.aug | 136 +++++++++++++++++++++++++++++++ tests/Makefile.am | 1 + 5 files changed, 298 insertions(+), 88 deletions(-) create mode 100644 lenses/sshd_140.aug create mode 100644 lenses/tests/test_sshd_140.aug diff --git a/lenses/sshd.aug b/lenses/sshd.aug index 55f6c4f7..785102ec 100644 --- a/lenses/sshd.aug +++ b/lenses/sshd.aug @@ -70,55 +70,41 @@ module Sshd = let sep = Util.del_ws_spc - let indent = del /[ \t]*/ " " - let key_re = /[A-Za-z0-9]+/ - - /MACs|Match|AcceptEnv|Subsystem|Ciphers|KexAlgorithms|(Allow|Deny)(Groups|Users)/i + - /MACs|Match|AcceptEnv|Subsystem|(Allow|Deny)(Groups|Users)/ let comment = Util.comment - let comment_noindent = Util.comment_noindent let empty = Util.empty - let array_entry (kw:regexp) (sq:string) = + let array_entry (k:string) = let value = store /[^ \t\n]+/ in - [ key kw . [ sep . seq sq . value]* . eol ] + [ key k . [ sep . seq k . value]* . eol ] let other_entry = let value = store /[^ \t\n]+([ \t]+[^ \t\n]+)*/ in [ key key_re . sep . value . eol ] - let accept_env = array_entry /AcceptEnv/i "AcceptEnv" + let accept_env = array_entry "AcceptEnv" - let allow_groups = array_entry /AllowGroups/i "AllowGroups" - let allow_users = array_entry /AllowUsers/i "AllowUsers" - let deny_groups = array_entry /DenyGroups/i "DenyGroups" - let deny_users = array_entry /DenyUsers/i "DenyUsers" + let allow_groups = array_entry "AllowGroups" + let allow_users = array_entry "AllowUsers" + let deny_groups = array_entry "DenyGroups" + let deny_users = array_entry "DenyUsers" let subsystemvalue = let value = store (/[^ \t\n](.*[^ \t\n])?/) in [ key /[A-Za-z0-9\-]+/ . sep . value . eol ] let subsystem = - [ key /Subsystem/i . sep . subsystemvalue ] + [ key "Subsystem" . sep . subsystemvalue ] - let list (kw:regexp) (sq:string) = - let value = store /[^, \t\n]+/ in - [ key kw . sep . - [ seq sq . value ] . - ([ seq sq . Util.del_str "," . value])* . + let macs = + let mac_value = store /[^, \t\n]+/ in + [ key "MACs" . sep . + [ seq "macs" . mac_value ] . + ([ seq "macs" . Util.del_str "," . mac_value])* . eol ] - let macs = list /MACs/i "MACs" - - let ciphers = list /Ciphers/i "Ciphers" - - let kexalgorithms = list /KexAlgorithms/i "KexAlgorithms" - - let entry = accept_env | allow_groups | allow_users - | deny_groups | subsystem | deny_users - | macs | ciphers | kexalgorithms - | other_entry - let condition_entry = let value = store /[^ \t\n]+/ in [ sep . key /[A-Za-z0-9]+/ . sep . value ] @@ -126,15 +112,17 @@ module Sshd = let match_cond = [ label "Condition" . condition_entry+ . eol ] - let match_entry = indent . (entry | comment_noindent) - | empty + let match_entry = + ( comment | empty | (Util.indent . other_entry) ) let match = - [ key /Match/i . match_cond + [ key "Match" . match_cond . [ label "Settings" . match_entry+ ] ] - let lns = (entry | comment | empty)* . match* + let lns = (comment | empty | accept_env | allow_groups | allow_users + | deny_groups | subsystem | deny_users | macs + | other_entry ) * . match* let xfm = transform lns (incl "/etc/ssh/sshd_config") diff --git a/lenses/sshd_140.aug b/lenses/sshd_140.aug new file mode 100644 index 00000000..8a7f176f --- /dev/null +++ b/lenses/sshd_140.aug @@ -0,0 +1,141 @@ +(* +Module: Sshd_140 + Parses /etc/ssh/sshd_config + + This module is compatible with Augeas 1.4.0, but is not loaded by default. + +Author: David Lutterkort lutter@redhat.com + Dominique Dumont dominique.dumont@hp.com + +About: Reference + sshd_config man page. + See http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5 + +About: License + This file is licensed under the LGPL v2+. + +About: Lens Usage + Sample usage of this lens in augtool: + + * Get your current setup + > print /files/etc/ssh/sshd_config + ... + + * Set X11Forwarding to "no" + > set /files/etc/ssh/sshd_config/X11Forwarding "no" + + More advanced usage: + + * Set a Match section + > set /files/etc/ssh/sshd_config/Match[1]/Condition/User "foo" + > set /files/etc/ssh/sshd_config/Match[1]/Settings/X11Forwarding "yes" + + Saving your file: + + > save + + +About: CAVEATS + + In sshd_config, Match blocks must be located at the end of the file. + This means that any new "global" parameters (i.e. outside of a Match + block) must be written before the first Match block. By default, + Augeas will write new parameters at the end of the file. + + I.e. if you have a Match section and no ChrootDirectory parameter, + this command: + + > set /files/etc/ssh/sshd_config/ChrootDirectory "foo" + + will be stored in a new node after the Match section and Augeas will + refuse to save sshd_config file. + + To create a new parameter as the right place, you must first create + a new Augeas node before the Match section: + + > ins ChrootDirectory before /files/etc/ssh/sshd_config/Match + + Then, you can set the parameter + + > set /files/etc/ssh/sshd_config/ChrootDirectory "foo" + + +About: Configuration files + This lens applies to /etc/ssh/sshd_config + +*) + +module Sshd_140 = + let eol = del /[ \t]*\n/ "\n" + + let sep = Util.del_ws_spc + + let indent = del /[ \t]*/ " " + + let key_re = /[A-Za-z0-9]+/ + - /MACs|Match|AcceptEnv|Subsystem|Ciphers|KexAlgorithms|(Allow|Deny)(Groups|Users)/i + + let comment = Util.comment + let comment_noindent = Util.comment_noindent + let empty = Util.empty + + let array_entry (kw:regexp) (sq:string) = + let value = store /[^ \t\n]+/ in + [ key kw . [ sep . seq sq . value]* . eol ] + + let other_entry = + let value = store /[^ \t\n]+([ \t]+[^ \t\n]+)*/ in + [ key key_re . sep . value . eol ] + + let accept_env = array_entry /AcceptEnv/i "AcceptEnv" + + let allow_groups = array_entry /AllowGroups/i "AllowGroups" + let allow_users = array_entry /AllowUsers/i "AllowUsers" + let deny_groups = array_entry /DenyGroups/i "DenyGroups" + let deny_users = array_entry /DenyUsers/i "DenyUsers" + + let subsystemvalue = + let value = store (/[^ \t\n](.*[^ \t\n])?/) in + [ key /[A-Za-z0-9\-]+/ . sep . value . eol ] + + let subsystem = + [ key /Subsystem/i . sep . subsystemvalue ] + + let list (kw:regexp) (sq:string) = + let value = store /[^, \t\n]+/ in + [ key kw . sep . + [ seq sq . value ] . + ([ seq sq . Util.del_str "," . value])* . + eol ] + + let macs = list /MACs/i "MACs" + + let ciphers = list /Ciphers/i "Ciphers" + + let kexalgorithms = list /KexAlgorithms/i "KexAlgorithms" + + let entry = accept_env | allow_groups | allow_users + | deny_groups | subsystem | deny_users + | macs | ciphers | kexalgorithms + | other_entry + + let condition_entry = + let value = store /[^ \t\n]+/ in + [ sep . key /[A-Za-z0-9]+/ . sep . value ] + + let match_cond = + [ label "Condition" . condition_entry+ . eol ] + + let match_entry = indent . (entry | comment_noindent) + | empty + + let match = + [ key /Match/i . match_cond + . [ label "Settings" . match_entry+ ] + ] + + let lns = (entry | comment | empty)* . match* + +(* Local Variables: *) +(* mode: caml *) +(* End: *) diff --git a/lenses/tests/test_sshd.aug b/lenses/tests/test_sshd.aug index 5954e16f..788a12f0 100644 --- a/lenses/tests/test_sshd.aug +++ b/lenses/tests/test_sshd.aug @@ -1,4 +1,3 @@ -(* Module: Test_sshd *) module Test_sshd = let accept_env = "Protocol 2 @@ -75,61 +74,6 @@ Match User sarko Group pres.* Match User bush Group pres.* Host white.house.* Banner /etc/welcome.txt\n" -(* Test: Sshd.lns - Indent when adding to a Match group *) - test Sshd.lns put match_blocks after - set "Match[1]/Settings/PermitRootLogin" "yes"; - set "Match[1]/Settings/#comment" "a comment" = -"X11Forwarding yes -Match User sarko Group pres.* - Banner /etc/bienvenue.txt - X11Forwarding no - PermitRootLogin yes - # a comment -Match User bush Group pres.* Host white.house.* -Banner /etc/welcome.txt\n" - - -(* Test: Sshd.lns - Parse Ciphers and KexAlgorithms as lists (GH issue #69) *) -test Sshd.lns get "Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr -KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1\n" = - { "Ciphers" - { "1" = "aes256-gcm@openssh.com" } - { "2" = "aes128-gcm@openssh.com" } - { "3" = "aes256-ctr" } - { "4" = "aes128-ctr" } - } - { "KexAlgorithms" - { "1" = "diffie-hellman-group-exchange-sha256" } - { "2" = "diffie-hellman-group14-sha1" } - { "3" = "diffie-hellman-group-exchange-sha1" } - } - -(* Test: Sshd.lns - Keys are case-insensitive *) -test Sshd.lns get "ciPheRs aes256-gcm@openssh.com,aes128-ctr -maTcH User foo - x11forwarding no\n" = - { "ciPheRs" - { "1" = "aes256-gcm@openssh.com" } - { "2" = "aes128-ctr" } - } - { "maTcH" - { "Condition" - { "User" = "foo" } - } - { "Settings" - { "x11forwarding" = "no" } - } - } - -(* Test: Sshd.lns - Allow AllowGroups in Match groups (GH issue #75) *) -test Sshd.lns get "Match User foo -AllowGroups users\n" = - { "Match" { "Condition" { "User" = "foo" } } - { "Settings" { "AllowGroups" { "1" = "users" } } } } (* Local Variables: *) (* mode: caml *) diff --git a/lenses/tests/test_sshd_140.aug b/lenses/tests/test_sshd_140.aug new file mode 100644 index 00000000..056c53f9 --- /dev/null +++ b/lenses/tests/test_sshd_140.aug @@ -0,0 +1,136 @@ +(* Module: Test_sshd_140 *) +module Test_sshd_140 = + + let accept_env = "Protocol 2 +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL\n" + + test Sshd_140.lns get accept_env = + { "Protocol" = "2" } + { "AcceptEnv" + { "1" = "LC_PAPER" } + { "2" = "LC_NAME" } + { "3" = "LC_ADDRESS" } + { "4" = "LC_TELEPHONE" } + { "5" = "LC_MEASUREMENT" } } + { "AcceptEnv" + { "6" = "LC_IDENTIFICATION" } + { "7" = "LC_ALL" } } + + + test Sshd_140.lns get "HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key\n" = + { "HostKey" = "/etc/ssh/ssh_host_rsa_key" } + { "HostKey" = "/etc/ssh/ssh_host_dsa_key" } + + + test Sshd_140.lns put accept_env after + rm "AcceptEnv"; + rm "AcceptEnv"; + set "Protocol" "1.5"; + set "X11Forwarding" "yes" + = "Protocol 1.5\nX11Forwarding yes\n" + + test Sshd_140.lns get "AuthorizedKeysFile %h/.ssh/authorized_keys\n" = + { "AuthorizedKeysFile" = "%h/.ssh/authorized_keys" } + + test Sshd_140.lns get "Subsystem sftp /usr/lib/openssh/sftp-server\n" = + { "Subsystem" + { "sftp" = "/usr/lib/openssh/sftp-server" } } + + test Sshd_140.lns get "Subsystem sftp-test /usr/lib/openssh/sftp-server\n" = + { "Subsystem" + { "sftp-test" = "/usr/lib/openssh/sftp-server" } } + + + + let match_blocks = "X11Forwarding yes +Match User sarko Group pres.* + Banner /etc/bienvenue.txt + X11Forwarding no +Match User bush Group pres.* Host white.house.* +Banner /etc/welcome.txt +" + test Sshd_140.lns get match_blocks = + { "X11Forwarding" = "yes"} + { "Match" + { "Condition" { "User" = "sarko" } + { "Group" = "pres.*" } } + { "Settings" { "Banner" = "/etc/bienvenue.txt" } + { "X11Forwarding" = "no" } } } + { "Match" + { "Condition" { "User" = "bush" } + { "Group" = "pres.*" } + { "Host" = "white.house.*" } } + { "Settings" { "Banner" = "/etc/welcome.txt" } } } + + test Sshd_140.lns put match_blocks after + insb "Subsystem" "/Match[1]"; + set "/Subsystem/sftp" "/usr/libexec/openssh/sftp-server" + = "X11Forwarding yes +Subsystem sftp /usr/libexec/openssh/sftp-server +Match User sarko Group pres.* + Banner /etc/bienvenue.txt + X11Forwarding no +Match User bush Group pres.* Host white.house.* +Banner /etc/welcome.txt\n" + +(* Test: Sshd_140.lns + Indent when adding to a Match group *) + test Sshd_140.lns put match_blocks after + set "Match[1]/Settings/PermitRootLogin" "yes"; + set "Match[1]/Settings/#comment" "a comment" = +"X11Forwarding yes +Match User sarko Group pres.* + Banner /etc/bienvenue.txt + X11Forwarding no + PermitRootLogin yes + # a comment +Match User bush Group pres.* Host white.house.* +Banner /etc/welcome.txt\n" + + +(* Test: Sshd_140.lns + Parse Ciphers and KexAlgorithms as lists (GH issue #69) *) +test Sshd_140.lns get "Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr +KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1\n" = + { "Ciphers" + { "1" = "aes256-gcm@openssh.com" } + { "2" = "aes128-gcm@openssh.com" } + { "3" = "aes256-ctr" } + { "4" = "aes128-ctr" } + } + { "KexAlgorithms" + { "1" = "diffie-hellman-group-exchange-sha256" } + { "2" = "diffie-hellman-group14-sha1" } + { "3" = "diffie-hellman-group-exchange-sha1" } + } + +(* Test: Sshd_140.lns + Keys are case-insensitive *) +test Sshd_140.lns get "ciPheRs aes256-gcm@openssh.com,aes128-ctr +maTcH User foo + x11forwarding no\n" = + { "ciPheRs" + { "1" = "aes256-gcm@openssh.com" } + { "2" = "aes128-ctr" } + } + { "maTcH" + { "Condition" + { "User" = "foo" } + } + { "Settings" + { "x11forwarding" = "no" } + } + } + +(* Test: Sshd_140.lns + Allow AllowGroups in Match groups (GH issue #75) *) +test Sshd_140.lns get "Match User foo +AllowGroups users\n" = + { "Match" { "Condition" { "User" = "foo" } } + { "Settings" { "AllowGroups" { "1" = "users" } } } } + +(* Local Variables: *) +(* mode: caml *) +(* End: *) diff --git a/tests/Makefile.am b/tests/Makefile.am index b4563540..387ac7d2 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -189,6 +189,7 @@ lens_tests = \ lens-squid.sh \ lens-ssh.sh \ lens-sshd.sh \ + lens-sshd_140.sh \ lens-sssd.sh \ lens-stunnel.sh \ lens-subversion.sh \ -- 2.17.2