From c5774b1dacb5c4bc67d2bf6f63ed92a296923220 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 13 May 2018 14:10:15 +0200 Subject: T632: use multi node for SSH allow/deny users and groups --- src/conf-mode/vyos-config-ssh.py | 62 ++++++++++------------------------------ 1 file changed, 15 insertions(+), 47 deletions(-) (limited to 'src') diff --git a/src/conf-mode/vyos-config-ssh.py b/src/conf-mode/vyos-config-ssh.py index 1605dcd74..e7528ae83 100755 --- a/src/conf-mode/vyos-config-ssh.py +++ b/src/conf-mode/vyos-config-ssh.py @@ -155,53 +155,21 @@ def get_config(): else: conf.set_level('service ssh') - if conf.exists('access-control allow-users'): - # Retrieve ',' separated list for allowed users and convert it to a list. - # The current VyOS CLI implementation should be improved to rather use multi nodes - # instead of a ',' separated input. - allow_user = conf.return_value('access-control allow-users') - tmp = allow_user.split(',') - users = [] - for u in tmp: - users.append(u) - - ssh.setdefault('allow_users', users) - - if conf.exists('access-control allow-groups'): - # Retrieve ',' separated list for allowed groups and convert it to a list. - # The current VyOS CLI implementation should be improved to rather use multi nodes - # instead of a ',' separated input. - allow_group = conf.return_value('access-control allow-groups') - tmp = allow_group.split(',') - groups = [] - for g in tmp: - groups.append(g) - - ssh.setdefault('allow_groups', groups) - - if conf.exists('access-control deny-users'): - # Retrieve ',' separated list for denied users and convert it to a list. - # The current VyOS CLI implementation should be improved to rather use multi nodes - # instead of a ',' separated input. - deny_user = conf.return_value('access-control deny-users') - tmp = deny_user.split(',') - users = [] - for u in tmp: - users.append(u) - - ssh.setdefault('deny_users', users) - - if conf.exists('access-control deny-groups'): - # Retrieve ',' separated list for denied groups and convert it to a list. - # The current VyOS CLI implementation should be improved to rather use multi nodes - # instead of a ',' separated input. - deny_group = conf.return_value('access-control deny-groups') - tmp = deny_group.split(',') - groups = [] - for g in tmp: - groups.append(g) - - ssh.setdefault('deny_groups', groups) + if conf.exists('access-control allow user'): + allow_users = conf.return_values('access-control allow user') + ssh.setdefault('allow_users', allow_users) + + if conf.exists('access-control allow group'): + allow_groups = conf.return_values('access-control allow group') + ssh.setdefault('allow_groups', allow_groups) + + if conf.exists('access-control deny user'): + deny_users = conf.return_values('access-control deny user') + ssh.setdefault('deny_users', deny_users) + + if conf.exists('access-control deny group'): + deny_groups = conf.return_values('access-control deny group') + ssh.setdefault('deny_groups', deny_groups) if conf.exists('allow-root'): ssh['allow-root'] = 'yes' -- cgit v1.2.3 From 0c42107faa0fb4fedccab6746bf90a0f02b86bc9 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 14 May 2018 11:17:40 +0200 Subject: T632: allow multiple algoorithms for: Ciper, KEX, MACs --- interface-definitions/ssh.xml | 9 ++++++--- src/conf-mode/vyos-config-ssh.py | 18 ++++++------------ 2 files changed, 12 insertions(+), 15 deletions(-) (limited to 'src') diff --git a/interface-definitions/ssh.xml b/interface-definitions/ssh.xml index 7b16939c6..79dff0548 100644 --- a/interface-definitions/ssh.xml +++ b/interface-definitions/ssh.xml @@ -57,10 +57,11 @@ - Allowed ciphers + Specifies allowed Ciphers + @@ -75,10 +76,11 @@ - Key exchange algorithms + Specifies available KEX (Key Exchange) algorithms + @@ -126,10 +128,11 @@ - Allowed message authentication algorithms + Specifies available MAC (message authentication code) algorithms + diff --git a/src/conf-mode/vyos-config-ssh.py b/src/conf-mode/vyos-config-ssh.py index e7528ae83..d09219caa 100755 --- a/src/conf-mode/vyos-config-ssh.py +++ b/src/conf-mode/vyos-config-ssh.py @@ -89,7 +89,7 @@ ListenAddress {{ a }} # Specifies the ciphers allowed. Multiple ciphers must be comma-separated. # # NOTE: As of now, there is no 'multi' node for 'ciphers', thus we have only one :/ -Ciphers {{ ciphers }} +Ciphers {{ ciphers | join(",") }} {% endif %} {% if mac -%} @@ -98,7 +98,7 @@ Ciphers {{ ciphers }} # comma-separated. # # NOTE: As of now, there is no 'multi' node for 'mac', thus we have only one :/ -MACs {{ mac }} +MACs {{ mac | join(",") }} {% endif %} {% if key_exchange -%} @@ -106,7 +106,7 @@ MACs {{ mac }} # be comma-separated. # # NOTE: As of now, there is no 'multi' node for 'key-exchange', thus we have only one :/ -KexAlgorithms {{ key_exchange }} +KexAlgorithms {{ key_exchange | join(",") }} {% endif %} {% if allow_users -%} @@ -175,9 +175,7 @@ def get_config(): ssh['allow-root'] = 'yes' if conf.exists('ciphers'): - # TODO: OpenSSH supports having multiple Ciphers configured. VyOS CLI - # yet has no multi node for this. See T632 in phabricator. - ciphers = conf.return_value('ciphers') + ciphers = conf.return_values('ciphers') ssh.setdefault('ciphers', ciphers) if conf.exists('disable-host-validation'): @@ -187,9 +185,7 @@ def get_config(): ssh['password_authentication'] = 'no' if conf.exists('key-exchange'): - # TODO: OpenSSH supports having multiple KEYX methods configured. VyOS CLI - # yet has no multi node for this. See T632 in phabricator. - kex = conf.return_value('key-exchange') + kex = conf.return_values('key-exchange') ssh.setdefault('key_exchange', kex) if conf.exists('listen-address'): @@ -208,9 +204,7 @@ def get_config(): ssh['log_level'] = conf.return_value('loglevel') if conf.exists('mac'): - # TODO: OpenSSH supports having multiple MACs configured. VyOS CLI - # yet has no multi node for this. See T632 in phabricator. - mac = conf.return_value('mac') + mac = conf.return_values('mac') ssh.setdefault('mac', mac) if conf.exists('port'): -- cgit v1.2.3 From 17bce754270301b951d0af9c80bfbf08872ec5af Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 15 May 2018 20:46:38 +0200 Subject: bugfix: remove whitespaces in generated 'powerdns/recursor.conf' --- src/conf-mode/vyos-config-dns-forwarding.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/conf-mode/vyos-config-dns-forwarding.py b/src/conf-mode/vyos-config-dns-forwarding.py index df273b321..5556c1693 100755 --- a/src/conf-mode/vyos-config-dns-forwarding.py +++ b/src/conf-mode/vyos-config-dns-forwarding.py @@ -31,7 +31,6 @@ config_file = r'/etc/powerdns/recursor.conf' # especially in the semicolon-separated lists of name servers. # Please be careful if you edit the template. config_tmpl = """ - ### Autogenerated by vyos-config-dns-forwarding.py ### # Non-configurable defaults @@ -47,19 +46,19 @@ max-cache-entries={{ cache_size }} export-etc-hosts={{ export_hosts_file }} # listen-on -local-address= {{ listen_on | join(',') }} +local-address={{ listen_on | join(',') }} # domain ... server ... {% if domains -%} {% for d in domains -%} -forward-zones = {{ d.name }} = {{ d.servers | join(";") }} +forward-zones={{ d.name }} = {{ d.servers | join(";") }} {% endfor -%} {% endif %} # name-server -forward-zones-recurse=.= {{ name_servers | join(';') }} +forward-zones-recurse=.={{ name_servers | join(';') }} """ -- cgit v1.2.3 From 86771ef232f45058f8cf8c5848ef2e805afadd1b Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 15 May 2018 20:58:29 +0200 Subject: bugfix: vyos-config-dns-forwarding.py: adding name-server into dictionary --- src/conf-mode/vyos-config-dns-forwarding.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/conf-mode/vyos-config-dns-forwarding.py b/src/conf-mode/vyos-config-dns-forwarding.py index 5556c1693..9f3bb7aee 100755 --- a/src/conf-mode/vyos-config-dns-forwarding.py +++ b/src/conf-mode/vyos-config-dns-forwarding.py @@ -52,7 +52,7 @@ local-address={{ listen_on | join(',') }} {% if domains -%} {% for d in domains -%} -forward-zones={{ d.name }} = {{ d.servers | join(";") }} +forward-zones={{ d.name }}={{ d.servers | join(";") }} {% endfor -%} {% endif %} @@ -112,7 +112,7 @@ def get_config(): if conf.exists('name-server'): name_servers = conf.return_values('name-server') - dns.setdefault('name_servers', name_servers) + dns['name_servers'] = dns['name_servers'] + name_servers if conf.exists('system'): conf.set_level('system') -- cgit v1.2.3 From 560411eae7be70e5ef44edbdb5000aa311fdae8f Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 15 May 2018 21:16:11 +0200 Subject: bugfix: DNS domain forward server syntax When generating a configuration for DNS domain forward to a local server with 'set service dns forwarding domain foo.com server 1.1.1.1' this resulted in # domain ... server ... forward-zones=bar.com = 2.1.1.1;2.1.1.2 forward-zones=foo.com = 1.1.1.1;1.1.1.2 On PowerDNS recursor restart the last line won and it totally forgot about 'bar.com'. This could be seen from the logfiles that only one domain was loaded: Redirecting queries for zone 'foo.com.' to: 1.1.1.1:53, 1.1.1.2:53 The manual at https://doc.powerdns.com/3/recursor/settings/#forward-zones shows that all domains have to be configured on one 'forward-zones=' line. In the above example this has to result in: forward-zones=bar.com=2.1.1.1;2.1.1.2, foo.com=1.1.1.1;1.1.1.2 A subsequent check within the logfiles reveal that it's now working: Redirecting queries for zone 'bar.com.' to: 2.2.2.2:53, 2.2.2.1:53 Redirecting queries for zone 'foo.com.' to: 1.1.1.1:53, 1.1.1.2:53 --- src/conf-mode/vyos-config-dns-forwarding.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/conf-mode/vyos-config-dns-forwarding.py b/src/conf-mode/vyos-config-dns-forwarding.py index 5494d07aa..be48cde60 100755 --- a/src/conf-mode/vyos-config-dns-forwarding.py +++ b/src/conf-mode/vyos-config-dns-forwarding.py @@ -51,9 +51,10 @@ local-address={{ listen_on | join(',') }} # domain ... server ... {% if domains -%} -{% for d in domains -%} -forward-zones={{ d.name }}={{ d.servers | join(";") }} -{% endfor -%} +forward-zones={% for d in domains %} +{{ d.name }}={{ d.servers | join(";") }} +{%- if loop.first %}, {% endif %} +{% endfor %} {% endif %} @@ -184,7 +185,7 @@ def generate(dns): if dns is None: return None - tmpl = jinja2.Template(config_tmpl) + tmpl = jinja2.Template(config_tmpl, trim_blocks=True) config_text = tmpl.render(dns) with open(config_file, 'w') as f: -- cgit v1.2.3 From d9474df03d47b20f06580c3b32aac69849162015 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 15 May 2018 22:23:38 +0200 Subject: T634: Remove 'service ssh allow-root' --- interface-definitions/ssh.xml | 5 ----- src/conf-mode/vyos-config-ssh.py | 8 +------- 2 files changed, 1 insertion(+), 12 deletions(-) (limited to 'src') diff --git a/interface-definitions/ssh.xml b/interface-definitions/ssh.xml index f898f3934..7b2d0a3f9 100644 --- a/interface-definitions/ssh.xml +++ b/interface-definitions/ssh.xml @@ -38,11 +38,6 @@ - - - Enable root login over ssh - - Allowed ciphers diff --git a/src/conf-mode/vyos-config-ssh.py b/src/conf-mode/vyos-config-ssh.py index 1605dcd74..86b81366f 100755 --- a/src/conf-mode/vyos-config-ssh.py +++ b/src/conf-mode/vyos-config-ssh.py @@ -59,6 +59,7 @@ Banner /etc/issue.net Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes HostKey /etc/ssh/ssh_host_key +PermitRootLogin no # Specifies whether sshd should look up the remote host name, # and to check that the resolved host name for the remote IP @@ -72,9 +73,6 @@ Port {{ port }} # Gives the verbosity level that is used when logging messages from sshd LogLevel {{ log_level }} -# Specifies whether root can log in using ssh -PermitRootLogin {{ allow_root }} - # Specifies whether password authentication is allowed PasswordAuthentication {{ password_authentication }} @@ -142,7 +140,6 @@ DenyGroups {{ deny_groups | join(" ") }} default_config_data = { 'port' : '22', 'log_level': 'INFO', - 'allow_root': 'no', 'password_authentication': 'yes', 'host_validation': 'yes' } @@ -203,9 +200,6 @@ def get_config(): ssh.setdefault('deny_groups', groups) - if conf.exists('allow-root'): - ssh['allow-root'] = 'yes' - if conf.exists('ciphers'): # TODO: OpenSSH supports having multiple Ciphers configured. VyOS CLI # yet has no multi node for this. See T632 in phabricator. -- cgit v1.2.3