From 23fab8056330696c4aa26ba0ac7ded5dc405cb90 Mon Sep 17 00:00:00 2001 From: Ewald van Geffen Date: Sat, 29 Apr 2017 23:04:55 +0200 Subject: T167: "set service ssh allow-root" does not function --- templates/service/ssh/allow-root/node.def | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'templates/service/ssh') diff --git a/templates/service/ssh/allow-root/node.def b/templates/service/ssh/allow-root/node.def index c1e6abf2..2f8e4354 100644 --- a/templates/service/ssh/allow-root/node.def +++ b/templates/service/ssh/allow-root/node.def @@ -1,5 +1,5 @@ help: Enable root login over ssh -create: sudo sed -i -e '/^PermitRootLogin/s/no/yes/' /etc/ssh/sshd_config +create: sudo sed -i -e '/^PermitRootLogin/s/no\|without-password\|yes/yes/' /etc/ssh/sshd_config -delete: sudo sed -i -e '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config +delete: sudo sed -i -e '/^PermitRootLogin/s/no\|without-password\|yes/no/' /etc/ssh/sshd_config -- cgit v1.2.3 From 9177a5ac53f02dfd321d4068105cb74d562e12de Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 31 Dec 2017 15:33:03 +0100 Subject: T507: fix regex to avoid multiple MAC lines in sshd_config --- templates/service/ssh/macs/node.def | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'templates/service/ssh') diff --git a/templates/service/ssh/macs/node.def b/templates/service/ssh/macs/node.def index ee6c60e1..f9bf4176 100644 --- a/templates/service/ssh/macs/node.def +++ b/templates/service/ssh/macs/node.def @@ -1,10 +1,11 @@ type: txt -help: Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. See 'man sshd_config' for supported MACs. +help: Allowed message authentication algorithms +comp_help: Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. See 'ssh -Q mac' for supported MACs. create: sudo sed -i -e '$ a \ MACs $VAR(@)' /etc/ssh/sshd_config delete: sudo sed -i -e '/^MACs $VAR(@)$/d' /etc/ssh/sshd_config -update: sudo sed -i -e '/^MACs/c \ -MACs $VAR(@)' /etc/ssh/sshd_config \ No newline at end of file +update: sudo sed -i -e '/^MACs.*$/c \ +MACs $VAR(@)' /etc/ssh/sshd_config -- cgit v1.2.3 From fd332e6dd8e155d0e73ad8264b75f681b82089f8 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 31 Dec 2017 15:33:34 +0100 Subject: T507: fix regex to avoid multiple Cipher lines in sshd_config --- templates/service/ssh/ciphers/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'templates/service/ssh') diff --git a/templates/service/ssh/ciphers/node.def b/templates/service/ssh/ciphers/node.def index 7eab846e..0394b8e4 100644 --- a/templates/service/ssh/ciphers/node.def +++ b/templates/service/ssh/ciphers/node.def @@ -25,5 +25,5 @@ Ciphers $VAR(@)' /etc/ssh/sshd_config delete: sudo sed -i -e '/^Ciphers $VAR(@)$/d' /etc/ssh/sshd_config -update: sudo sed -i -e '/^Ciphers/c \ +update: sudo sed -i -e '/^Ciphers.*$/c \ Ciphers $VAR(@)' /etc/ssh/sshd_config -- cgit v1.2.3 From 39c3c6b0cb5a2b34cadcad857bc70577f1fefba3 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 31 Dec 2017 15:33:56 +0100 Subject: T507: Add new OpenSSH ciphers --- templates/service/ssh/ciphers/node.def | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'templates/service/ssh') diff --git a/templates/service/ssh/ciphers/node.def b/templates/service/ssh/ciphers/node.def index 0394b8e4..b5e5af68 100644 --- a/templates/service/ssh/ciphers/node.def +++ b/templates/service/ssh/ciphers/node.def @@ -1,21 +1,26 @@ type: txt help: Allowed ciphers val_help: txt; Cipher string -val_help: 3des-cbc; 3DES CBC +val_help: aes128-gcm@openssh.com; AES 128 GCM +val_help: aes256-gcm@openssh.com; AES 256 GCM +val_help: chacha20-poly1305@openssh.com; ChaCha20 Poly1305 +val_help: 3des-cbc; 3DES CBC (weak) val_help: aes128-cbc; AES 128 CBC val_help: aes192-cbc; AES 192 CBC val_help: aes256-cbc; AES 256 CBC val_help: aes128-ctr; AES 128 CTR val_help: aes192-ctr; AES 192 CTR val_help: aes256-ctr; AES 256 CTR -val_help: arcfour128; AC4 128 -val_help: arcfour256; AC4 256 -val_help: arcfour; AC4 +val_help: arcfour128; AC4 128 (broken) +val_help: arcfour256; AC4 256 (broken) +val_help: arcfour; AC4 (broken) val_help: blowfish-cbc; Blowfish CBC val_help: cast128-cbc; CAST 128 CBC comp_help: Multiple ciphers can be specified as a comma-separated list. -syntax:expression: pattern $VAR(@) "^((3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|aes128-ctr|aes192-ctr|\ +syntax:expression: pattern $VAR(@) "^((aes128-gcm@openssh.com|\ +aes256-gcm@openssh.com|chacha20-poly1305@openssh.com|\ +3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|aes128-ctr|aes192-ctr|\ aes256-ctr|arcfour128|arcfour256|arcfour|\ blowfish-cbc|cast128-cbc)(,|$))+$"; \ "$VAR(@) is not a valid cipher list" -- cgit v1.2.3 From ed9ab6155a9ae94a9b9bb214c42fb8dad6dfbf04 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 31 Dec 2017 15:34:42 +0100 Subject: T507: Add support for key exchange algorithms --- templates/service/ssh/key-exchange/node.def | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 templates/service/ssh/key-exchange/node.def (limited to 'templates/service/ssh') diff --git a/templates/service/ssh/key-exchange/node.def b/templates/service/ssh/key-exchange/node.def new file mode 100644 index 00000000..a3c91b0b --- /dev/null +++ b/templates/service/ssh/key-exchange/node.def @@ -0,0 +1,11 @@ +type: txt +help: Allowed key exchange algorithms +comp_help: Specifies the available KEX (key exchange) algorithms. The KEX algorithm is used in protocol version 2 for key negotiation upon session creation. Multiple algorithms must be comma-separated. See 'ssh -Q kex' for supported KEX algorithms. + +create: sudo sed -i -e '$ a \ +KexAlgorithms $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^KexAlgorithms $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^KexAlgorithms.*$/c \ +KexAlgorithms $VAR(@)' /etc/ssh/sshd_config -- cgit v1.2.3 From 6f63930251beed98bb6d20567631db235dab1d16 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 31 Dec 2017 15:35:29 +0100 Subject: T507: Add support for SSHd loglevel configuration --- templates/service/ssh/loglevel/node.def | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 templates/service/ssh/loglevel/node.def (limited to 'templates/service/ssh') diff --git a/templates/service/ssh/loglevel/node.def b/templates/service/ssh/loglevel/node.def new file mode 100644 index 00000000..f66ec068 --- /dev/null +++ b/templates/service/ssh/loglevel/node.def @@ -0,0 +1,19 @@ +type: txt +help: Log Level +val_help: QUIET; stay silent +val_help: FATAL; log fatals only +val_help: ERROR; log errors and fatals only +val_help: INFO; default log level +val_help: VERBOSE; enable logging of failed login attempts +comp_help: Gives the verbosity level that is used when logging messages from sshd(8). The default is INFO. + +syntax:expression: pattern $VAR(@) "^((QUIET|FATAL|ERROR|INFO|VERBOSE)(,|$))+$"; \ +"$VAR(@) is not a valid log level" + +create: sudo sed -i -e '/^LogLevel.*$/c \ +LogLevel $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^LogLevel $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^LogLevel.*$/c \ +LogLevel $VAR(@)' /etc/ssh/sshd_config -- cgit v1.2.3 From 33346b68ed7155478fd435af963c2eeaf63a5f8a Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Mon, 1 Jan 2018 12:43:23 +0100 Subject: T122: Add config nodes for user/group access controls in sshd_config --- templates/service/ssh/allow-groups/node.def | 11 +++++++++++ templates/service/ssh/allow-users/node.def | 11 +++++++++++ templates/service/ssh/deny-groups/node.def | 11 +++++++++++ templates/service/ssh/deny-users/node.def | 11 +++++++++++ templates/service/ssh/sshd-option/node.def | 8 ++++++++ 5 files changed, 52 insertions(+) create mode 100644 templates/service/ssh/allow-groups/node.def create mode 100644 templates/service/ssh/allow-users/node.def create mode 100644 templates/service/ssh/deny-groups/node.def create mode 100644 templates/service/ssh/deny-users/node.def create mode 100644 templates/service/ssh/sshd-option/node.def (limited to 'templates/service/ssh') diff --git a/templates/service/ssh/allow-groups/node.def b/templates/service/ssh/allow-groups/node.def new file mode 100644 index 00000000..2d6aa75b --- /dev/null +++ b/templates/service/ssh/allow-groups/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for allowed groups. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +AllowGroups $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^AllowGroups $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^AllowGroups.*$/c \ +AllowGroups $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/allow-users/node.def b/templates/service/ssh/allow-users/node.def new file mode 100644 index 00000000..2052bf69 --- /dev/null +++ b/templates/service/ssh/allow-users/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for allowed users. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +AllowUsers $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^AllowUsers $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^AllowUsers.*$/c \ +AllowUsers $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/deny-groups/node.def b/templates/service/ssh/deny-groups/node.def new file mode 100644 index 00000000..c2c8dcab --- /dev/null +++ b/templates/service/ssh/deny-groups/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for disallowed groups. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +DenyGroups $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^DenyGroups $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^DenyGroups.*$/c \ +DenyGroups $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/deny-users/node.def b/templates/service/ssh/deny-users/node.def new file mode 100644 index 00000000..a6426f90 --- /dev/null +++ b/templates/service/ssh/deny-users/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for disallowed users. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +DenyUsers $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^DenyUsers $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^DenyUsers.*$/c \ +DenyUsers $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/sshd-option/node.def b/templates/service/ssh/sshd-option/node.def new file mode 100644 index 00000000..7f6ec7ec --- /dev/null +++ b/templates/service/ssh/sshd-option/node.def @@ -0,0 +1,8 @@ +multi: +type: txt +help: Additional options for sshd_config + +create: sudo sed -i -e '$ a \ +$VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^$VAR(@)$/d' /etc/ssh/sshd_config -- cgit v1.2.3 From 082dd8fa2190bb4a0df818b827736766a77cf0bc Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Tue, 2 Jan 2018 19:09:58 +0100 Subject: T122: Add a new node to store access control configurations --- templates/service/ssh/access-control/node.def | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 templates/service/ssh/access-control/node.def (limited to 'templates/service/ssh') diff --git a/templates/service/ssh/access-control/node.def b/templates/service/ssh/access-control/node.def new file mode 100644 index 00000000..8f6ca6e7 --- /dev/null +++ b/templates/service/ssh/access-control/node.def @@ -0,0 +1,2 @@ +help: SSH user/group access controls +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. -- cgit v1.2.3 From 7a628be1675cca0218c14794a7a07321545ca057 Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Tue, 2 Jan 2018 19:11:24 +0100 Subject: T122: Added a config node to implement sshd_config's AllowUsers --- templates/service/ssh/access-control/allow-users/node.def | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 templates/service/ssh/access-control/allow-users/node.def (limited to 'templates/service/ssh') diff --git a/templates/service/ssh/access-control/allow-users/node.def b/templates/service/ssh/access-control/allow-users/node.def new file mode 100644 index 00000000..2052bf69 --- /dev/null +++ b/templates/service/ssh/access-control/allow-users/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for allowed users. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +AllowUsers $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^AllowUsers $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^AllowUsers.*$/c \ +AllowUsers $VAR(@)' /etc/ssh/sshd_config -- cgit v1.2.3 From f76f756b8c031226c37a3851074cc26f506ccf2b Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Tue, 2 Jan 2018 19:12:09 +0100 Subject: T122: Added a config node to implement sshd_config's AllowGroups --- templates/service/ssh/access-control/allow-groups/node.def | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 templates/service/ssh/access-control/allow-groups/node.def (limited to 'templates/service/ssh') diff --git a/templates/service/ssh/access-control/allow-groups/node.def b/templates/service/ssh/access-control/allow-groups/node.def new file mode 100644 index 00000000..2d6aa75b --- /dev/null +++ b/templates/service/ssh/access-control/allow-groups/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for allowed groups. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +AllowGroups $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^AllowGroups $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^AllowGroups.*$/c \ +AllowGroups $VAR(@)' /etc/ssh/sshd_config -- cgit v1.2.3 From f56e7154b9dfb36305cfb0c36998d245c26ad343 Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Tue, 2 Jan 2018 19:12:27 +0100 Subject: T122: Added a config node to implement sshd_config's DenyUsers --- templates/service/ssh/access-control/deny-users/node.def | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 templates/service/ssh/access-control/deny-users/node.def (limited to 'templates/service/ssh') diff --git a/templates/service/ssh/access-control/deny-users/node.def b/templates/service/ssh/access-control/deny-users/node.def new file mode 100644 index 00000000..a6426f90 --- /dev/null +++ b/templates/service/ssh/access-control/deny-users/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for disallowed users. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +DenyUsers $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^DenyUsers $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^DenyUsers.*$/c \ +DenyUsers $VAR(@)' /etc/ssh/sshd_config -- cgit v1.2.3 From ccbfc90fdb6239d30613fb28b76144c03c2d9809 Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Tue, 2 Jan 2018 19:12:43 +0100 Subject: T122: Added a config node to implement sshd_config's DenyGroups --- templates/service/ssh/access-control/deny-groups/node.def | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 templates/service/ssh/access-control/deny-groups/node.def (limited to 'templates/service/ssh') diff --git a/templates/service/ssh/access-control/deny-groups/node.def b/templates/service/ssh/access-control/deny-groups/node.def new file mode 100644 index 00000000..c2c8dcab --- /dev/null +++ b/templates/service/ssh/access-control/deny-groups/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for disallowed groups. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +DenyGroups $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^DenyGroups $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^DenyGroups.*$/c \ +DenyGroups $VAR(@)' /etc/ssh/sshd_config -- cgit v1.2.3 From c4b7a6a89d8309ffef66c7ddf9a74e03eef6c83f Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Tue, 2 Jan 2018 19:17:20 +0100 Subject: T122: Undo the multiple-features-in-one-commit commit --- templates/service/ssh/allow-groups/node.def | 11 ----------- templates/service/ssh/allow-users/node.def | 11 ----------- templates/service/ssh/deny-groups/node.def | 11 ----------- templates/service/ssh/deny-users/node.def | 11 ----------- templates/service/ssh/sshd-option/node.def | 8 -------- 5 files changed, 52 deletions(-) delete mode 100644 templates/service/ssh/allow-groups/node.def delete mode 100644 templates/service/ssh/allow-users/node.def delete mode 100644 templates/service/ssh/deny-groups/node.def delete mode 100644 templates/service/ssh/deny-users/node.def delete mode 100644 templates/service/ssh/sshd-option/node.def (limited to 'templates/service/ssh') diff --git a/templates/service/ssh/allow-groups/node.def b/templates/service/ssh/allow-groups/node.def deleted file mode 100644 index 2d6aa75b..00000000 --- a/templates/service/ssh/allow-groups/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Configure sshd_config access control for allowed groups. -comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. - -create: sudo sed -i -e '$ a \ -AllowGroups $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^AllowGroups $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^AllowGroups.*$/c \ -AllowGroups $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/allow-users/node.def b/templates/service/ssh/allow-users/node.def deleted file mode 100644 index 2052bf69..00000000 --- a/templates/service/ssh/allow-users/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Configure sshd_config access control for allowed users. -comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. - -create: sudo sed -i -e '$ a \ -AllowUsers $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^AllowUsers $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^AllowUsers.*$/c \ -AllowUsers $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/deny-groups/node.def b/templates/service/ssh/deny-groups/node.def deleted file mode 100644 index c2c8dcab..00000000 --- a/templates/service/ssh/deny-groups/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Configure sshd_config access control for disallowed groups. -comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. - -create: sudo sed -i -e '$ a \ -DenyGroups $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^DenyGroups $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^DenyGroups.*$/c \ -DenyGroups $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/deny-users/node.def b/templates/service/ssh/deny-users/node.def deleted file mode 100644 index a6426f90..00000000 --- a/templates/service/ssh/deny-users/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Configure sshd_config access control for disallowed users. -comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. - -create: sudo sed -i -e '$ a \ -DenyUsers $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^DenyUsers $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^DenyUsers.*$/c \ -DenyUsers $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/sshd-option/node.def b/templates/service/ssh/sshd-option/node.def deleted file mode 100644 index 7f6ec7ec..00000000 --- a/templates/service/ssh/sshd-option/node.def +++ /dev/null @@ -1,8 +0,0 @@ -multi: -type: txt -help: Additional options for sshd_config - -create: sudo sed -i -e '$ a \ -$VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^$VAR(@)$/d' /etc/ssh/sshd_config -- cgit v1.2.3 From d8dd509656e24d0050050ed067021e4b45e07d59 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Wed, 28 Feb 2018 13:32:24 +0100 Subject: T507: add autocompletion or SSH key exchange algorithms --- templates/service/ssh/key-exchange/node.def | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'templates/service/ssh') diff --git a/templates/service/ssh/key-exchange/node.def b/templates/service/ssh/key-exchange/node.def index a3c91b0b..00df581a 100644 --- a/templates/service/ssh/key-exchange/node.def +++ b/templates/service/ssh/key-exchange/node.def @@ -1,6 +1,7 @@ type: txt -help: Allowed key exchange algorithms -comp_help: Specifies the available KEX (key exchange) algorithms. The KEX algorithm is used in protocol version 2 for key negotiation upon session creation. Multiple algorithms must be comma-separated. See 'ssh -Q kex' for supported KEX algorithms. +help: Key exchange algorithms + +allowed: ssh -Q kex | perl -ne '$_=~s/\n/ /;print' create: sudo sed -i -e '$ a \ KexAlgorithms $VAR(@)' /etc/ssh/sshd_config -- cgit v1.2.3 From 58bcf1639e1656643e3470e25fbbea0a707355a9 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 13 May 2018 14:17:44 +0200 Subject: T631: Rewrite SSH configuration as XML interface definition --- .../ssh/access-control/allow-groups/node.def | 11 ------- .../ssh/access-control/allow-users/node.def | 11 ------- .../ssh/access-control/deny-groups/node.def | 11 ------- .../service/ssh/access-control/deny-users/node.def | 11 ------- templates/service/ssh/access-control/node.def | 2 -- templates/service/ssh/allow-root/node.def | 5 ---- templates/service/ssh/ciphers/node.def | 34 ---------------------- .../service/ssh/disable-host-validation/node.def | 6 ---- .../ssh/disable-password-authentication/node.def | 5 ---- templates/service/ssh/key-exchange/node.def | 12 -------- templates/service/ssh/listen-address/node.def | 10 ------- templates/service/ssh/loglevel/node.def | 19 ------------ templates/service/ssh/macs/node.def | 11 ------- templates/service/ssh/node.def | 8 ----- templates/service/ssh/port/node.def | 7 ----- 15 files changed, 163 deletions(-) delete mode 100644 templates/service/ssh/access-control/allow-groups/node.def delete mode 100644 templates/service/ssh/access-control/allow-users/node.def delete mode 100644 templates/service/ssh/access-control/deny-groups/node.def delete mode 100644 templates/service/ssh/access-control/deny-users/node.def delete mode 100644 templates/service/ssh/access-control/node.def delete mode 100644 templates/service/ssh/allow-root/node.def delete mode 100644 templates/service/ssh/ciphers/node.def delete mode 100644 templates/service/ssh/disable-host-validation/node.def delete mode 100644 templates/service/ssh/disable-password-authentication/node.def delete mode 100644 templates/service/ssh/key-exchange/node.def delete mode 100644 templates/service/ssh/listen-address/node.def delete mode 100644 templates/service/ssh/loglevel/node.def delete mode 100644 templates/service/ssh/macs/node.def delete mode 100644 templates/service/ssh/node.def delete mode 100644 templates/service/ssh/port/node.def (limited to 'templates/service/ssh') diff --git a/templates/service/ssh/access-control/allow-groups/node.def b/templates/service/ssh/access-control/allow-groups/node.def deleted file mode 100644 index 2d6aa75b..00000000 --- a/templates/service/ssh/access-control/allow-groups/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Configure sshd_config access control for allowed groups. -comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. - -create: sudo sed -i -e '$ a \ -AllowGroups $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^AllowGroups $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^AllowGroups.*$/c \ -AllowGroups $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/access-control/allow-users/node.def b/templates/service/ssh/access-control/allow-users/node.def deleted file mode 100644 index 2052bf69..00000000 --- a/templates/service/ssh/access-control/allow-users/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Configure sshd_config access control for allowed users. -comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. - -create: sudo sed -i -e '$ a \ -AllowUsers $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^AllowUsers $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^AllowUsers.*$/c \ -AllowUsers $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/access-control/deny-groups/node.def b/templates/service/ssh/access-control/deny-groups/node.def deleted file mode 100644 index c2c8dcab..00000000 --- a/templates/service/ssh/access-control/deny-groups/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Configure sshd_config access control for disallowed groups. -comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. - -create: sudo sed -i -e '$ a \ -DenyGroups $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^DenyGroups $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^DenyGroups.*$/c \ -DenyGroups $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/access-control/deny-users/node.def b/templates/service/ssh/access-control/deny-users/node.def deleted file mode 100644 index a6426f90..00000000 --- a/templates/service/ssh/access-control/deny-users/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Configure sshd_config access control for disallowed users. -comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. - -create: sudo sed -i -e '$ a \ -DenyUsers $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^DenyUsers $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^DenyUsers.*$/c \ -DenyUsers $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/access-control/node.def b/templates/service/ssh/access-control/node.def deleted file mode 100644 index 8f6ca6e7..00000000 --- a/templates/service/ssh/access-control/node.def +++ /dev/null @@ -1,2 +0,0 @@ -help: SSH user/group access controls -comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. diff --git a/templates/service/ssh/allow-root/node.def b/templates/service/ssh/allow-root/node.def deleted file mode 100644 index 2f8e4354..00000000 --- a/templates/service/ssh/allow-root/node.def +++ /dev/null @@ -1,5 +0,0 @@ -help: Enable root login over ssh - -create: sudo sed -i -e '/^PermitRootLogin/s/no\|without-password\|yes/yes/' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^PermitRootLogin/s/no\|without-password\|yes/no/' /etc/ssh/sshd_config diff --git a/templates/service/ssh/ciphers/node.def b/templates/service/ssh/ciphers/node.def deleted file mode 100644 index b5e5af68..00000000 --- a/templates/service/ssh/ciphers/node.def +++ /dev/null @@ -1,34 +0,0 @@ -type: txt -help: Allowed ciphers -val_help: txt; Cipher string -val_help: aes128-gcm@openssh.com; AES 128 GCM -val_help: aes256-gcm@openssh.com; AES 256 GCM -val_help: chacha20-poly1305@openssh.com; ChaCha20 Poly1305 -val_help: 3des-cbc; 3DES CBC (weak) -val_help: aes128-cbc; AES 128 CBC -val_help: aes192-cbc; AES 192 CBC -val_help: aes256-cbc; AES 256 CBC -val_help: aes128-ctr; AES 128 CTR -val_help: aes192-ctr; AES 192 CTR -val_help: aes256-ctr; AES 256 CTR -val_help: arcfour128; AC4 128 (broken) -val_help: arcfour256; AC4 256 (broken) -val_help: arcfour; AC4 (broken) -val_help: blowfish-cbc; Blowfish CBC -val_help: cast128-cbc; CAST 128 CBC -comp_help: Multiple ciphers can be specified as a comma-separated list. - -syntax:expression: pattern $VAR(@) "^((aes128-gcm@openssh.com|\ -aes256-gcm@openssh.com|chacha20-poly1305@openssh.com|\ -3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|aes128-ctr|aes192-ctr|\ -aes256-ctr|arcfour128|arcfour256|arcfour|\ -blowfish-cbc|cast128-cbc)(,|$))+$"; \ -"$VAR(@) is not a valid cipher list" - -create: sudo sed -i -e '$ a \ -Ciphers $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^Ciphers $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^Ciphers.*$/c \ -Ciphers $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/disable-host-validation/node.def b/templates/service/ssh/disable-host-validation/node.def deleted file mode 100644 index fff28dbd..00000000 --- a/templates/service/ssh/disable-host-validation/node.def +++ /dev/null @@ -1,6 +0,0 @@ -help: Don't validate the remote host name with DNS - -update: sudo sed -i -e '/^UseDNS/s/yes/no/' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^UseDNS/s/no/yes/' /etc/ssh/sshd_config - diff --git a/templates/service/ssh/disable-password-authentication/node.def b/templates/service/ssh/disable-password-authentication/node.def deleted file mode 100644 index 59abacfc..00000000 --- a/templates/service/ssh/disable-password-authentication/node.def +++ /dev/null @@ -1,5 +0,0 @@ -help: Don't allow unknown user to login with password - -update: sudo sed -i -e '/^PasswordAuthentication/s/yes/no/' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^PasswordAuthentication/s/no/yes/' /etc/ssh/sshd_config diff --git a/templates/service/ssh/key-exchange/node.def b/templates/service/ssh/key-exchange/node.def deleted file mode 100644 index 00df581a..00000000 --- a/templates/service/ssh/key-exchange/node.def +++ /dev/null @@ -1,12 +0,0 @@ -type: txt -help: Key exchange algorithms - -allowed: ssh -Q kex | perl -ne '$_=~s/\n/ /;print' - -create: sudo sed -i -e '$ a \ -KexAlgorithms $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^KexAlgorithms $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^KexAlgorithms.*$/c \ -KexAlgorithms $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/listen-address/node.def b/templates/service/ssh/listen-address/node.def deleted file mode 100644 index aeff03f2..00000000 --- a/templates/service/ssh/listen-address/node.def +++ /dev/null @@ -1,10 +0,0 @@ -multi: -type: ipv4,ipv6 -help: Local addresses SSH service should listen on -val_help: ipv4: IP address to listen for incoming connections -val_help: ipv6: IPv6 address to listen for incoming connections - -create: sudo sed -i -e '/^Port/a \ -ListenAddress $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^ListenAddress $VAR(@)$/d' /etc/ssh/sshd_config diff --git a/templates/service/ssh/loglevel/node.def b/templates/service/ssh/loglevel/node.def deleted file mode 100644 index f66ec068..00000000 --- a/templates/service/ssh/loglevel/node.def +++ /dev/null @@ -1,19 +0,0 @@ -type: txt -help: Log Level -val_help: QUIET; stay silent -val_help: FATAL; log fatals only -val_help: ERROR; log errors and fatals only -val_help: INFO; default log level -val_help: VERBOSE; enable logging of failed login attempts -comp_help: Gives the verbosity level that is used when logging messages from sshd(8). The default is INFO. - -syntax:expression: pattern $VAR(@) "^((QUIET|FATAL|ERROR|INFO|VERBOSE)(,|$))+$"; \ -"$VAR(@) is not a valid log level" - -create: sudo sed -i -e '/^LogLevel.*$/c \ -LogLevel $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^LogLevel $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^LogLevel.*$/c \ -LogLevel $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/macs/node.def b/templates/service/ssh/macs/node.def deleted file mode 100644 index f9bf4176..00000000 --- a/templates/service/ssh/macs/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Allowed message authentication algorithms -comp_help: Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. See 'ssh -Q mac' for supported MACs. - -create: sudo sed -i -e '$ a \ -MACs $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^MACs $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^MACs.*$/c \ -MACs $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/node.def b/templates/service/ssh/node.def deleted file mode 100644 index 7117a2fd..00000000 --- a/templates/service/ssh/node.def +++ /dev/null @@ -1,8 +0,0 @@ -priority: 500 # After syslog and logins -help: Secure SHell (SSH) protocol -delete:sudo /usr/sbin/invoke-rc.d ssh stop - sudo sh -c "echo 'SSHD_OPTS=' > /etc/default/ssh" -end: if [ -z "$VAR(port/@)" ]; then exit 0; fi - STR="SSHD_OPTS=\"-p $VAR(port/@)\"" - sudo sh -c "echo '$STR' > /etc/default/ssh" - sudo /usr/sbin/invoke-rc.d ssh restart diff --git a/templates/service/ssh/port/node.def b/templates/service/ssh/port/node.def deleted file mode 100644 index d4f53378..00000000 --- a/templates/service/ssh/port/node.def +++ /dev/null @@ -1,7 +0,0 @@ -type: u32 -default: 22 -help: Port for SSH service -val_help: u32:1-65535; Numeric IP port - -syntax:expression: $VAR(@) > 0 && $VAR(@) <= 65535 ; \ - "Port number must be in range 1 to 65535" -- cgit v1.2.3