From e30a7a6cebce788bca90a22693ef514fd76f153b Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Fri, 11 May 2018 17:19:29 +0200
Subject: T631: Rewrite SSH configuration as XML interface definition

---
 interface-definitions/ssh.xml | 183 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 183 insertions(+)
 create mode 100644 interface-definitions/ssh.xml

(limited to 'interface-definitions/ssh.xml')

diff --git a/interface-definitions/ssh.xml b/interface-definitions/ssh.xml
new file mode 100644
index 000000000..9965dd69e
--- /dev/null
+++ b/interface-definitions/ssh.xml
@@ -0,0 +1,183 @@
+<?xml version="1.0"?>
+
+<!--SSH configuration -->
+
+<interfaceDefinition>
+  <node name="service">
+    <children>
+      <node name="ssh" owner="${vyos_sbindir}/vyos-config-ssh.py">
+        <properties>
+          <help>Secure SHell (SSH) protocol</help>
+          <priority>500</priority>
+        </properties>
+        <children>
+          <node name="access-control">
+            <properties>
+              <help>SSH user/group access controls</help>
+            </properties>
+            <children>
+              <leafNode name="allow-groups">
+                <properties>
+                  <help>Configure sshd_config access control for allowed groups</help>
+                </properties>
+              </leafNode>
+              <leafNode name="allow-users">
+                <properties>
+                  <help>Configure sshd_config access control for allowed users</help>
+                </properties>
+              </leafNode>
+              <leafNode name="deny-groups">
+                <properties>
+                  <help>Configure sshd_config access control for disallowed groups</help>
+                </properties>
+              </leafNode>
+              <leafNode name="deny-users">
+                <properties>
+                  <help>Configure sshd_config access control for disallowed users</help>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
+          <leafNode name="allow-root">
+            <properties>
+              <help>Enable root login over ssh</help>
+            </properties>
+          </leafNode>
+          <leafNode name="ciphers">
+            <properties>
+              <help>Allowed ciphers</help>
+              <valueHelp>
+                <format>chacha20-poly1305@openssh.com</format>
+                <description>ChaCha20 Poly1305</description>
+              </valueHelp>
+              <valueHelp>
+                <format>3des-cbc</format>
+                <description>3DES CBC (weak)</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes128-cbc</format>
+                <description>AES 128 CBC</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes192-cbc</format>
+                <description>AES 192 CBC</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes256-cbc</format>
+                <description>AES 256 CBC</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes128-ctr</format>
+                <description>AES 128 CTR</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes192-ctr</format>
+                <description>AES 192 CTR</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes256-ctr</format>
+                <description>AES 256 CTR</description>
+              </valueHelp>
+              <valueHelp>
+                <format>arcfour128</format>
+                <description>AC4 128 (broken)</description>
+              </valueHelp>
+              <valueHelp>
+                <format>arcfour256</format>
+                <description>AC4 256 (broken)</description>
+              </valueHelp>
+              <valueHelp>
+                <format>arcfour</format>
+                <description>AC4 (broken)</description>
+              </valueHelp>
+              <valueHelp>
+                <format>blowfish-cbc</format>
+                <description>Blowfish CBC</description>
+              </valueHelp>
+              <valueHelp>
+                <format>cast128-cbc</format>
+                <description>CAST 128 CBC</description>
+              </valueHelp>
+            </properties>
+          </leafNode>
+          <leafNode name="disable-host-validation">
+            <properties>
+              <help>Don't validate the remote host name with DNS</help>
+            </properties>
+          </leafNode>
+          <leafNode name="disable-password-authentication">
+            <properties>
+              <help>Don't allow unknown user to login with password</help>
+            </properties>
+          </leafNode>
+          <leafNode name="key-exchange">
+            <properties>
+              <help>Key exchange algorithms</help>
+              <completionHelp>
+                <script>ssh -Q kex | perl -ne '$_=~s/\n/ /;print'</script>
+              </completionHelp>
+            </properties>
+          </leafNode>
+          <leafNode name="listen-address">
+            <properties>
+              <help>Local addresses SSH service should listen on</help>
+              <valueHelp>
+                <format>ipv4</format>
+                <description>IP address to listen for incoming connections</description>
+              </valueHelp>
+              <valueHelp>
+                <format>ipv6</format>
+                <description>IPv6 address to listen for incoming connections</description>
+              </valueHelp>
+              <type>ipv4,ipv6</type>
+              <multi/>
+            </properties>
+          </leafNode>
+          <leafNode name="loglevel">
+            <properties>
+              <help>Log level</help>
+              <valueHelp>
+                <format>QUIET</format>
+                <description>stay silent</description>
+              </valueHelp>
+              <valueHelp>
+                <format>FATAL</format>
+                <description>log fatals only</description>
+              </valueHelp>
+              <valueHelp>
+                <format>ERROR</format>
+                <description>log errors and fatals only</description>
+              </valueHelp>
+              <valueHelp>
+                <format>INFO</format>
+                <description>default log level</description>
+              </valueHelp>
+              <valueHelp>
+                <format>VERBOSE</format>
+                <description>enable logging of failed login attempts</description>
+              </valueHelp>
+            </properties>
+          </leafNode>
+          <leafNode name="mac">
+            <properties>
+              <help>Allowed message authentication algorithms</help>
+              <completionHelp>
+                <script>ssh -Q mac | perl -ne '$_=~s/\n/ /;print'</script>
+              </completionHelp>
+            </properties>
+          </leafNode>
+          <leafNode name="port">
+            <properties>
+              <help>Port for SSH service</help>
+              <valueHelp>
+                <format>u32:1-65535</format>
+                <description>Numeric IP port</description>
+              </valueHelp>
+              <type>u32</type>
+            </properties>
+          </leafNode>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
-- 
cgit v1.2.3


From 0a8021c21eb918cc2c31d7d922b6428017b341c0 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sat, 12 May 2018 11:58:55 +0200
Subject: T631: use completionHelp for SSH rather then valueHelp

SSH is already probed for some possible values. ALso use completionHelp
for available ciphers. In addition drop 'perl' from helper script in favor of
'tr'.
---
 interface-definitions/ssh.xml | 59 ++++---------------------------------------
 1 file changed, 5 insertions(+), 54 deletions(-)

(limited to 'interface-definitions/ssh.xml')

diff --git a/interface-definitions/ssh.xml b/interface-definitions/ssh.xml
index 9965dd69e..5b9368360 100644
--- a/interface-definitions/ssh.xml
+++ b/interface-definitions/ssh.xml
@@ -46,58 +46,9 @@
           <leafNode name="ciphers">
             <properties>
               <help>Allowed ciphers</help>
-              <valueHelp>
-                <format>chacha20-poly1305@openssh.com</format>
-                <description>ChaCha20 Poly1305</description>
-              </valueHelp>
-              <valueHelp>
-                <format>3des-cbc</format>
-                <description>3DES CBC (weak)</description>
-              </valueHelp>
-              <valueHelp>
-                <format>aes128-cbc</format>
-                <description>AES 128 CBC</description>
-              </valueHelp>
-              <valueHelp>
-                <format>aes192-cbc</format>
-                <description>AES 192 CBC</description>
-              </valueHelp>
-              <valueHelp>
-                <format>aes256-cbc</format>
-                <description>AES 256 CBC</description>
-              </valueHelp>
-              <valueHelp>
-                <format>aes128-ctr</format>
-                <description>AES 128 CTR</description>
-              </valueHelp>
-              <valueHelp>
-                <format>aes192-ctr</format>
-                <description>AES 192 CTR</description>
-              </valueHelp>
-              <valueHelp>
-                <format>aes256-ctr</format>
-                <description>AES 256 CTR</description>
-              </valueHelp>
-              <valueHelp>
-                <format>arcfour128</format>
-                <description>AC4 128 (broken)</description>
-              </valueHelp>
-              <valueHelp>
-                <format>arcfour256</format>
-                <description>AC4 256 (broken)</description>
-              </valueHelp>
-              <valueHelp>
-                <format>arcfour</format>
-                <description>AC4 (broken)</description>
-              </valueHelp>
-              <valueHelp>
-                <format>blowfish-cbc</format>
-                <description>Blowfish CBC</description>
-              </valueHelp>
-              <valueHelp>
-                <format>cast128-cbc</format>
-                <description>CAST 128 CBC</description>
-              </valueHelp>
+              <completionHelp>
+                <script>ssh -Q cipher | tr '\n' ' '</script>
+              </completionHelp>
             </properties>
           </leafNode>
           <leafNode name="disable-host-validation">
@@ -114,7 +65,7 @@
             <properties>
               <help>Key exchange algorithms</help>
               <completionHelp>
-                <script>ssh -Q kex | perl -ne '$_=~s/\n/ /;print'</script>
+                <script>ssh -Q kex | tr '\n' ' '</script>
               </completionHelp>
             </properties>
           </leafNode>
@@ -162,7 +113,7 @@
             <properties>
               <help>Allowed message authentication algorithms</help>
               <completionHelp>
-                <script>ssh -Q mac | perl -ne '$_=~s/\n/ /;print'</script>
+                <script>ssh -Q mac | tr '\n' ' '</script>
               </completionHelp>
             </properties>
           </leafNode>
-- 
cgit v1.2.3


From a20634014490f2b3053f0b7176f98f39a4f72e9e Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sun, 13 May 2018 13:41:12 +0200
Subject: T631: improve help for access-control

---
 interface-definitions/ssh.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'interface-definitions/ssh.xml')

diff --git a/interface-definitions/ssh.xml b/interface-definitions/ssh.xml
index 5b9368360..5ccd3006f 100644
--- a/interface-definitions/ssh.xml
+++ b/interface-definitions/ssh.xml
@@ -13,7 +13,7 @@
         <children>
           <node name="access-control">
             <properties>
-              <help>SSH user/group access controls</help>
+                <help>SSH user/group access controls. Directives are processed in this: deny-users, allow-users, deny-groups and allow-groups</help>
             </properties>
             <children>
               <leafNode name="allow-groups">
-- 
cgit v1.2.3