From c9eaafd9f808aba8d29be73054e11d37577e539a Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 30 Dec 2023 23:25:20 +0100 Subject: T5474: establish common file name pattern for XML conf mode commands We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in (cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465) --- interface-definitions/service_ssh.xml.in | 270 +++++++++++++++++++++++++++++++ 1 file changed, 270 insertions(+) create mode 100644 interface-definitions/service_ssh.xml.in (limited to 'interface-definitions/service_ssh.xml.in') diff --git a/interface-definitions/service_ssh.xml.in b/interface-definitions/service_ssh.xml.in new file mode 100644 index 000000000..5c893bd35 --- /dev/null +++ b/interface-definitions/service_ssh.xml.in @@ -0,0 +1,270 @@ + + + + + System services + + + + + Secure Shell (SSH) + 1000 + + + + + SSH user/group access controls + + + + + Allow user/group SSH access + + + #include + #include + + + + + Deny user/group SSH access + + + #include + #include + + + + + + + Allowed ciphers + + + 3des-cbc aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com + + + (3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.se|aes128-ctr|aes192-ctr|aes256-ctr|aes128-gcm@openssh.com|aes256-gcm@openssh.com|chacha20-poly1305@openssh.com) + + + + + + + Disable IP Address to Hostname lookup + + + + + + Disable password-based authentication + + + + + + Allow dynamic protection + + + + + Block source IP in seconds. Subsequent blocks increase by a factor of 1.5 + + u32:1-65535 + Time interval in seconds for blocking + + + + + + 120 + + + + Remember source IP in seconds before reset their score + + u32:1-65535 + Time interval in seconds + + + + + + 1800 + + + + Block source IP when their cumulative attack score exceeds threshold + + u32:1-65535 + Threshold score + + + + + + 30 + + + + Always allow inbound connections from these systems + + ipv4 + Address to match against + + + ipv4net + IPv4 address and prefix length + + + ipv6 + IPv6 address to match against + + + ipv6net + IPv6 address and prefix length + + + + + + + + + + + + + Allowed host key signature algorithms + + + ssh-ed25519 ssh-ed25519-cert-v01@openssh.com sk-ssh-ed25519@openssh.com sk-ssh-ed25519-cert-v01@openssh.com ssh-rsa rsa-sha2-256 rsa-sha2-512 ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 sk-ecdsa-sha2-nistp256@openssh.com webauthn-sk-ecdsa-sha2-nistp256@openssh.com ssh-rsa-cert-v01@openssh.com rsa-sha2-256-cert-v01@openssh.com rsa-sha2-512-cert-v01@openssh.com ssh-dss-cert-v01@openssh.com ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com sk-ecdsa-sha2-nistp256-cert-v01@openssh.com + + + + (ssh-ed25519|ssh-ed25519-cert-v01@openssh.com|sk-ssh-ed25519@openssh.com|sk-ssh-ed25519-cert-v01@openssh.com|ssh-rsa|rsa-sha2-256|rsa-sha2-512|ssh-dss|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|sk-ecdsa-sha2-nistp256@openssh.com|webauthn-sk-ecdsa-sha2-nistp256@openssh.com|ssh-rsa-cert-v01@openssh.com|rsa-sha2-256-cert-v01@openssh.com|rsa-sha2-512-cert-v01@openssh.com|ssh-dss-cert-v01@openssh.com|ecdsa-sha2-nistp256-cert-v01@openssh.com|ecdsa-sha2-nistp384-cert-v01@openssh.com|ecdsa-sha2-nistp521-cert-v01@openssh.com|sk-ecdsa-sha2-nistp256-cert-v01@openssh.com) + + + + + + Allowed key exchange (KEX) algorithms + + + diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256 curve25519-sha256@libssh.org + + + + (diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group14-sha256|diffie-hellman-group16-sha512|diffie-hellman-group18-sha512|diffie-hellman-group-exchange-sha1|diffie-hellman-group-exchange-sha256|ecdh-sha2-nistp256|ecdh-sha2-nistp384|ecdh-sha2-nistp521|curve25519-sha256|curve25519-sha256@libssh.org) + + + + #include + + + Log level + + quiet fatal error info verbose + + + quiet + stay silent + + + fatal + log fatals only + + + error + log errors and fatals only + + + info + default log level + + + verbose + enable logging of failed login attempts + + + (quiet|fatal|error|info|verbose) + + + info + + + + Allowed message authentication code (MAC) algorithms + + + hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com + + + (hmac-sha1|hmac-sha1-96|hmac-sha2-256|hmac-sha2-512|hmac-md5|hmac-md5-96|umac-64@openssh.com|umac-128@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|hmac-sha2-256-etm@openssh.com|hmac-sha2-512-etm@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com) + + + + + + + Port for SSH service + + u32:1-65535 + Numeric IP port + + + + + + + 22 + + + + SSH session rekey limit + + + + + Threshold data in megabytes + + u32:1-65535 + Megabytes + + + + + + + + + Threshold time in minutes + + u32:1-65535 + Minutes + + + + + + + + + + + Enable transmission of keepalives from server to client + + u32:1-65535 + Time interval in seconds for keepalive message + + + + + + + #include + + + + + -- cgit v1.2.3