From e30a7a6cebce788bca90a22693ef514fd76f153b Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Fri, 11 May 2018 17:19:29 +0200
Subject: T631: Rewrite SSH configuration as XML interface definition

---
 interface-definitions/ssh.xml | 183 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 183 insertions(+)
 create mode 100644 interface-definitions/ssh.xml

(limited to 'interface-definitions/ssh.xml')

diff --git a/interface-definitions/ssh.xml b/interface-definitions/ssh.xml
new file mode 100644
index 000000000..9965dd69e
--- /dev/null
+++ b/interface-definitions/ssh.xml
@@ -0,0 +1,183 @@
+<?xml version="1.0"?>
+
+<!--SSH configuration -->
+
+<interfaceDefinition>
+  <node name="service">
+    <children>
+      <node name="ssh" owner="${vyos_sbindir}/vyos-config-ssh.py">
+        <properties>
+          <help>Secure SHell (SSH) protocol</help>
+          <priority>500</priority>
+        </properties>
+        <children>
+          <node name="access-control">
+            <properties>
+              <help>SSH user/group access controls</help>
+            </properties>
+            <children>
+              <leafNode name="allow-groups">
+                <properties>
+                  <help>Configure sshd_config access control for allowed groups</help>
+                </properties>
+              </leafNode>
+              <leafNode name="allow-users">
+                <properties>
+                  <help>Configure sshd_config access control for allowed users</help>
+                </properties>
+              </leafNode>
+              <leafNode name="deny-groups">
+                <properties>
+                  <help>Configure sshd_config access control for disallowed groups</help>
+                </properties>
+              </leafNode>
+              <leafNode name="deny-users">
+                <properties>
+                  <help>Configure sshd_config access control for disallowed users</help>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
+          <leafNode name="allow-root">
+            <properties>
+              <help>Enable root login over ssh</help>
+            </properties>
+          </leafNode>
+          <leafNode name="ciphers">
+            <properties>
+              <help>Allowed ciphers</help>
+              <valueHelp>
+                <format>chacha20-poly1305@openssh.com</format>
+                <description>ChaCha20 Poly1305</description>
+              </valueHelp>
+              <valueHelp>
+                <format>3des-cbc</format>
+                <description>3DES CBC (weak)</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes128-cbc</format>
+                <description>AES 128 CBC</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes192-cbc</format>
+                <description>AES 192 CBC</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes256-cbc</format>
+                <description>AES 256 CBC</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes128-ctr</format>
+                <description>AES 128 CTR</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes192-ctr</format>
+                <description>AES 192 CTR</description>
+              </valueHelp>
+              <valueHelp>
+                <format>aes256-ctr</format>
+                <description>AES 256 CTR</description>
+              </valueHelp>
+              <valueHelp>
+                <format>arcfour128</format>
+                <description>AC4 128 (broken)</description>
+              </valueHelp>
+              <valueHelp>
+                <format>arcfour256</format>
+                <description>AC4 256 (broken)</description>
+              </valueHelp>
+              <valueHelp>
+                <format>arcfour</format>
+                <description>AC4 (broken)</description>
+              </valueHelp>
+              <valueHelp>
+                <format>blowfish-cbc</format>
+                <description>Blowfish CBC</description>
+              </valueHelp>
+              <valueHelp>
+                <format>cast128-cbc</format>
+                <description>CAST 128 CBC</description>
+              </valueHelp>
+            </properties>
+          </leafNode>
+          <leafNode name="disable-host-validation">
+            <properties>
+              <help>Don't validate the remote host name with DNS</help>
+            </properties>
+          </leafNode>
+          <leafNode name="disable-password-authentication">
+            <properties>
+              <help>Don't allow unknown user to login with password</help>
+            </properties>
+          </leafNode>
+          <leafNode name="key-exchange">
+            <properties>
+              <help>Key exchange algorithms</help>
+              <completionHelp>
+                <script>ssh -Q kex | perl -ne '$_=~s/\n/ /;print'</script>
+              </completionHelp>
+            </properties>
+          </leafNode>
+          <leafNode name="listen-address">
+            <properties>
+              <help>Local addresses SSH service should listen on</help>
+              <valueHelp>
+                <format>ipv4</format>
+                <description>IP address to listen for incoming connections</description>
+              </valueHelp>
+              <valueHelp>
+                <format>ipv6</format>
+                <description>IPv6 address to listen for incoming connections</description>
+              </valueHelp>
+              <type>ipv4,ipv6</type>
+              <multi/>
+            </properties>
+          </leafNode>
+          <leafNode name="loglevel">
+            <properties>
+              <help>Log level</help>
+              <valueHelp>
+                <format>QUIET</format>
+                <description>stay silent</description>
+              </valueHelp>
+              <valueHelp>
+                <format>FATAL</format>
+                <description>log fatals only</description>
+              </valueHelp>
+              <valueHelp>
+                <format>ERROR</format>
+                <description>log errors and fatals only</description>
+              </valueHelp>
+              <valueHelp>
+                <format>INFO</format>
+                <description>default log level</description>
+              </valueHelp>
+              <valueHelp>
+                <format>VERBOSE</format>
+                <description>enable logging of failed login attempts</description>
+              </valueHelp>
+            </properties>
+          </leafNode>
+          <leafNode name="mac">
+            <properties>
+              <help>Allowed message authentication algorithms</help>
+              <completionHelp>
+                <script>ssh -Q mac | perl -ne '$_=~s/\n/ /;print'</script>
+              </completionHelp>
+            </properties>
+          </leafNode>
+          <leafNode name="port">
+            <properties>
+              <help>Port for SSH service</help>
+              <valueHelp>
+                <format>u32:1-65535</format>
+                <description>Numeric IP port</description>
+              </valueHelp>
+              <type>u32</type>
+            </properties>
+          </leafNode>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
-- 
cgit v1.2.3