From e30a7a6cebce788bca90a22693ef514fd76f153b Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Fri, 11 May 2018 17:19:29 +0200
Subject: T631: Rewrite SSH configuration as XML interface definition

---
 Makefile                         |   3 +
 interface-definitions/ssh.xml    | 183 +++++++++++++++++++++++++++++++++++++++
 src/conf-mode/vyos-config-ssh.py |  67 ++++++++++++++
 3 files changed, 253 insertions(+)
 create mode 100644 interface-definitions/ssh.xml
 create mode 100755 src/conf-mode/vyos-config-ssh.py

diff --git a/Makefile b/Makefile
index ee89a5608..d194b44e4 100644
--- a/Makefile
+++ b/Makefile
@@ -20,6 +20,9 @@ interface_definitions:
 	sed -i '/^type: txt/d' $(TMPL_DIR)/system/ntp/server/node.tag/noselect/node.def
 	sed -i '/^type: txt/d' $(TMPL_DIR)/system/ntp/server/node.tag/preempt/node.def
 	sed -i '/^type: txt/d' $(TMPL_DIR)/system/ntp/server/node.tag/prefer/node.def
+	sed -i '/^type: txt/d' $(TMPL_DIR)/service/ssh/allow-root/node.def
+	sed -i '/^type: txt/d' $(TMPL_DIR)/service/ssh/disable-host-validation/node.def
+	sed -i '/^type: txt/d' $(TMPL_DIR)/service/ssh/disable-password-authentication/node.def
 
 .PHONY: all
 all: interface_definitions
diff --git a/interface-definitions/ssh.xml b/interface-definitions/ssh.xml
new file mode 100644
index 000000000..9965dd69e
--- /dev/null
+++ b/interface-definitions/ssh.xml
@@ -0,0 +1,183 @@
+<?xml version="1.0"?>
+
+<!--SSH configuration -->
+
+<interfaceDefinition>
+  <node name="service">
+    <children>
+      <node name="ssh" owner="${vyos_sbindir}/vyos-config-ssh.py">
+        <properties>
+          <help>Secure SHell (SSH) protocol</help>
+          <priority>500</priority>
+        </properties>
+        <children>
+          <node name="access-control">
+            <properties>
+              <help>SSH user/group access controls</help>
+            </properties>
+            <children>
+              <leafNode name="allow-groups">
+                <properties>
+                  <help>Configure sshd_config access control for allowed groups</help>
+                </properties>
+              </leafNode>
+              <leafNode name="allow-users">
+                <properties>
+                  <help>Configure sshd_config access control for allowed users</help>
+                </properties>
+              </leafNode>
+              <leafNode name="deny-groups">
+                <properties>
+                  <help>Configure sshd_config access control for disallowed groups</help>
+                </properties>
+              </leafNode>
+              <leafNode name="deny-users">
+                <properties>
+                  <help>Configure sshd_config access control for disallowed users</help>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
+          <leafNode name="allow-root">
+            <properties>
+              <help>Enable root login over ssh</help>
+            </properties>
+          </leafNode>
+          <leafNode name="ciphers">
+            <properties>
+              <help>Allowed ciphers</help>
+              <valueHelp>
+                <format>chacha20-poly1305@openssh.com</format>
+                <description>ChaCha20 Poly1305</description>
+              </valueHelp>
+              <valueHelp>
+                <format>3des-cbc</format>
+                <description>3DES CBC (weak)</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes128-cbc</format>
+                <description>AES 128 CBC</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes192-cbc</format>
+                <description>AES 192 CBC</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes256-cbc</format>
+                <description>AES 256 CBC</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes128-ctr</format>
+                <description>AES 128 CTR</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes192-ctr</format>
+                <description>AES 192 CTR</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes256-ctr</format>
+                <description>AES 256 CTR</description>
+              </valueHelp>
+              <valueHelp>
+                <format>arcfour128</format>
+                <description>AC4 128 (broken)</description>
+              </valueHelp>
+              <valueHelp>
+                <format>arcfour256</format>
+                <description>AC4 256 (broken)</description>
+              </valueHelp>
+              <valueHelp>
+                <format>arcfour</format>
+                <description>AC4 (broken)</description>
+              </valueHelp>
+              <valueHelp>
+                <format>blowfish-cbc</format>
+                <description>Blowfish CBC</description>
+              </valueHelp>
+              <valueHelp>
+                <format>cast128-cbc</format>
+                <description>CAST 128 CBC</description>
+              </valueHelp>
+            </properties>
+          </leafNode>
+          <leafNode name="disable-host-validation">
+            <properties>
+              <help>Don't validate the remote host name with DNS</help>
+            </properties>
+          </leafNode>
+          <leafNode name="disable-password-authentication">
+            <properties>
+              <help>Don't allow unknown user to login with password</help>
+            </properties>
+          </leafNode>
+          <leafNode name="key-exchange">
+            <properties>
+              <help>Key exchange algorithms</help>
+              <completionHelp>
+                <script>ssh -Q kex | perl -ne '$_=~s/\n/ /;print'</script>
+              </completionHelp>
+            </properties>
+          </leafNode>
+          <leafNode name="listen-address">
+            <properties>
+              <help>Local addresses SSH service should listen on</help>
+              <valueHelp>
+                <format>ipv4</format>
+                <description>IP address to listen for incoming connections</description>
+              </valueHelp>
+              <valueHelp>
+                <format>ipv6</format>
+                <description>IPv6 address to listen for incoming connections</description>
+              </valueHelp>
+              <type>ipv4,ipv6</type>
+              <multi/>
+            </properties>
+          </leafNode>
+          <leafNode name="loglevel">
+            <properties>
+              <help>Log level</help>
+              <valueHelp>
+                <format>QUIET</format>
+                <description>stay silent</description>
+              </valueHelp>
+              <valueHelp>
+                <format>FATAL</format>
+                <description>log fatals only</description>
+              </valueHelp>
+              <valueHelp>
+                <format>ERROR</format>
+                <description>log errors and fatals only</description>
+              </valueHelp>
+              <valueHelp>
+                <format>INFO</format>
+                <description>default log level</description>
+              </valueHelp>
+              <valueHelp>
+                <format>VERBOSE</format>
+                <description>enable logging of failed login attempts</description>
+              </valueHelp>
+            </properties>
+          </leafNode>
+          <leafNode name="mac">
+            <properties>
+              <help>Allowed message authentication algorithms</help>
+              <completionHelp>
+                <script>ssh -Q mac | perl -ne '$_=~s/\n/ /;print'</script>
+              </completionHelp>
+            </properties>
+          </leafNode>
+          <leafNode name="port">
+            <properties>
+              <help>Port for SSH service</help>
+              <valueHelp>
+                <format>u32:1-65535</format>
+                <description>Numeric IP port</description>
+              </valueHelp>
+              <type>u32</type>
+            </properties>
+          </leafNode>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/src/conf-mode/vyos-config-ssh.py b/src/conf-mode/vyos-config-ssh.py
new file mode 100755
index 000000000..e91e829b2
--- /dev/null
+++ b/src/conf-mode/vyos-config-ssh.py
@@ -0,0 +1,67 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2018 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import sys
+import os
+import time
+
+from vyos.config import Config
+from vyos.util import ConfigError
+
+config_file = r'/etc/ssh/sshd_config'
+
+def get_config():
+    ssh = {}
+    conf = Config()
+    conf.set_level('service ssh')
+    if not conf.exists(''):
+        return ssh
+
+    return ssh
+
+def verify(ssh):
+    return None
+
+def generate(ssh):
+    config_header = '### Autogenerated by vyos-config-ssh.py on {tm} ###\n'.format(tm=time.strftime("%a, %d %b %Y %H:%M:%S", time.localtime()))
+
+    # write new configuration file
+    f = open(config_file, 'w')
+    f.write(config_header)
+    f.write('\n')
+    f.close()
+    return None
+
+def apply(ssh):
+    if len(ssh) == 0:
+        cmd = "sudo systemctl stop ssh"
+    else:
+        cmd = "sudo systemctl start ssh"
+
+    os.system(cmd)
+    return None
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        sys.exit(1)
-- 
cgit v1.2.3