From 33346b68ed7155478fd435af963c2eeaf63a5f8a Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Mon, 1 Jan 2018 12:43:23 +0100 Subject: T122: Add config nodes for user/group access controls in sshd_config --- templates/service/ssh/allow-groups/node.def | 11 +++++++++++ templates/service/ssh/allow-users/node.def | 11 +++++++++++ templates/service/ssh/deny-groups/node.def | 11 +++++++++++ templates/service/ssh/deny-users/node.def | 11 +++++++++++ templates/service/ssh/sshd-option/node.def | 8 ++++++++ 5 files changed, 52 insertions(+) create mode 100644 templates/service/ssh/allow-groups/node.def create mode 100644 templates/service/ssh/allow-users/node.def create mode 100644 templates/service/ssh/deny-groups/node.def create mode 100644 templates/service/ssh/deny-users/node.def create mode 100644 templates/service/ssh/sshd-option/node.def (limited to 'templates') diff --git a/templates/service/ssh/allow-groups/node.def b/templates/service/ssh/allow-groups/node.def new file mode 100644 index 00000000..2d6aa75b --- /dev/null +++ b/templates/service/ssh/allow-groups/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for allowed groups. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +AllowGroups $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^AllowGroups $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^AllowGroups.*$/c \ +AllowGroups $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/allow-users/node.def b/templates/service/ssh/allow-users/node.def new file mode 100644 index 00000000..2052bf69 --- /dev/null +++ b/templates/service/ssh/allow-users/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for allowed users. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +AllowUsers $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^AllowUsers $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^AllowUsers.*$/c \ +AllowUsers $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/deny-groups/node.def b/templates/service/ssh/deny-groups/node.def new file mode 100644 index 00000000..c2c8dcab --- /dev/null +++ b/templates/service/ssh/deny-groups/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for disallowed groups. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +DenyGroups $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^DenyGroups $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^DenyGroups.*$/c \ +DenyGroups $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/deny-users/node.def b/templates/service/ssh/deny-users/node.def new file mode 100644 index 00000000..a6426f90 --- /dev/null +++ b/templates/service/ssh/deny-users/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for disallowed users. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +DenyUsers $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^DenyUsers $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^DenyUsers.*$/c \ +DenyUsers $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/sshd-option/node.def b/templates/service/ssh/sshd-option/node.def new file mode 100644 index 00000000..7f6ec7ec --- /dev/null +++ b/templates/service/ssh/sshd-option/node.def @@ -0,0 +1,8 @@ +multi: +type: txt +help: Additional options for sshd_config + +create: sudo sed -i -e '$ a \ +$VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^$VAR(@)$/d' /etc/ssh/sshd_config -- cgit v1.2.3 From 082dd8fa2190bb4a0df818b827736766a77cf0bc Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Tue, 2 Jan 2018 19:09:58 +0100 Subject: T122: Add a new node to store access control configurations --- templates/service/ssh/access-control/node.def | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 templates/service/ssh/access-control/node.def (limited to 'templates') diff --git a/templates/service/ssh/access-control/node.def b/templates/service/ssh/access-control/node.def new file mode 100644 index 00000000..8f6ca6e7 --- /dev/null +++ b/templates/service/ssh/access-control/node.def @@ -0,0 +1,2 @@ +help: SSH user/group access controls +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. -- cgit v1.2.3 From 7a628be1675cca0218c14794a7a07321545ca057 Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Tue, 2 Jan 2018 19:11:24 +0100 Subject: T122: Added a config node to implement sshd_config's AllowUsers --- templates/service/ssh/access-control/allow-users/node.def | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 templates/service/ssh/access-control/allow-users/node.def (limited to 'templates') diff --git a/templates/service/ssh/access-control/allow-users/node.def b/templates/service/ssh/access-control/allow-users/node.def new file mode 100644 index 00000000..2052bf69 --- /dev/null +++ b/templates/service/ssh/access-control/allow-users/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for allowed users. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +AllowUsers $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^AllowUsers $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^AllowUsers.*$/c \ +AllowUsers $VAR(@)' /etc/ssh/sshd_config -- cgit v1.2.3 From f76f756b8c031226c37a3851074cc26f506ccf2b Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Tue, 2 Jan 2018 19:12:09 +0100 Subject: T122: Added a config node to implement sshd_config's AllowGroups --- templates/service/ssh/access-control/allow-groups/node.def | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 templates/service/ssh/access-control/allow-groups/node.def (limited to 'templates') diff --git a/templates/service/ssh/access-control/allow-groups/node.def b/templates/service/ssh/access-control/allow-groups/node.def new file mode 100644 index 00000000..2d6aa75b --- /dev/null +++ b/templates/service/ssh/access-control/allow-groups/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for allowed groups. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +AllowGroups $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^AllowGroups $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^AllowGroups.*$/c \ +AllowGroups $VAR(@)' /etc/ssh/sshd_config -- cgit v1.2.3 From f56e7154b9dfb36305cfb0c36998d245c26ad343 Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Tue, 2 Jan 2018 19:12:27 +0100 Subject: T122: Added a config node to implement sshd_config's DenyUsers --- templates/service/ssh/access-control/deny-users/node.def | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 templates/service/ssh/access-control/deny-users/node.def (limited to 'templates') diff --git a/templates/service/ssh/access-control/deny-users/node.def b/templates/service/ssh/access-control/deny-users/node.def new file mode 100644 index 00000000..a6426f90 --- /dev/null +++ b/templates/service/ssh/access-control/deny-users/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for disallowed users. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +DenyUsers $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^DenyUsers $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^DenyUsers.*$/c \ +DenyUsers $VAR(@)' /etc/ssh/sshd_config -- cgit v1.2.3 From ccbfc90fdb6239d30613fb28b76144c03c2d9809 Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Tue, 2 Jan 2018 19:12:43 +0100 Subject: T122: Added a config node to implement sshd_config's DenyGroups --- templates/service/ssh/access-control/deny-groups/node.def | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 templates/service/ssh/access-control/deny-groups/node.def (limited to 'templates') diff --git a/templates/service/ssh/access-control/deny-groups/node.def b/templates/service/ssh/access-control/deny-groups/node.def new file mode 100644 index 00000000..c2c8dcab --- /dev/null +++ b/templates/service/ssh/access-control/deny-groups/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for disallowed groups. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +DenyGroups $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^DenyGroups $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^DenyGroups.*$/c \ +DenyGroups $VAR(@)' /etc/ssh/sshd_config -- cgit v1.2.3 From c4b7a6a89d8309ffef66c7ddf9a74e03eef6c83f Mon Sep 17 00:00:00 2001 From: Alain Lamar Date: Tue, 2 Jan 2018 19:17:20 +0100 Subject: T122: Undo the multiple-features-in-one-commit commit --- templates/service/ssh/allow-groups/node.def | 11 ----------- templates/service/ssh/allow-users/node.def | 11 ----------- templates/service/ssh/deny-groups/node.def | 11 ----------- templates/service/ssh/deny-users/node.def | 11 ----------- templates/service/ssh/sshd-option/node.def | 8 -------- 5 files changed, 52 deletions(-) delete mode 100644 templates/service/ssh/allow-groups/node.def delete mode 100644 templates/service/ssh/allow-users/node.def delete mode 100644 templates/service/ssh/deny-groups/node.def delete mode 100644 templates/service/ssh/deny-users/node.def delete mode 100644 templates/service/ssh/sshd-option/node.def (limited to 'templates') diff --git a/templates/service/ssh/allow-groups/node.def b/templates/service/ssh/allow-groups/node.def deleted file mode 100644 index 2d6aa75b..00000000 --- a/templates/service/ssh/allow-groups/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Configure sshd_config access control for allowed groups. -comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. - -create: sudo sed -i -e '$ a \ -AllowGroups $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^AllowGroups $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^AllowGroups.*$/c \ -AllowGroups $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/allow-users/node.def b/templates/service/ssh/allow-users/node.def deleted file mode 100644 index 2052bf69..00000000 --- a/templates/service/ssh/allow-users/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Configure sshd_config access control for allowed users. -comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. - -create: sudo sed -i -e '$ a \ -AllowUsers $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^AllowUsers $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^AllowUsers.*$/c \ -AllowUsers $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/deny-groups/node.def b/templates/service/ssh/deny-groups/node.def deleted file mode 100644 index c2c8dcab..00000000 --- a/templates/service/ssh/deny-groups/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Configure sshd_config access control for disallowed groups. -comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. - -create: sudo sed -i -e '$ a \ -DenyGroups $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^DenyGroups $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^DenyGroups.*$/c \ -DenyGroups $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/deny-users/node.def b/templates/service/ssh/deny-users/node.def deleted file mode 100644 index a6426f90..00000000 --- a/templates/service/ssh/deny-users/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Configure sshd_config access control for disallowed users. -comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. - -create: sudo sed -i -e '$ a \ -DenyUsers $VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^DenyUsers $VAR(@)$/d' /etc/ssh/sshd_config - -update: sudo sed -i -e '/^DenyUsers.*$/c \ -DenyUsers $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/sshd-option/node.def b/templates/service/ssh/sshd-option/node.def deleted file mode 100644 index 7f6ec7ec..00000000 --- a/templates/service/ssh/sshd-option/node.def +++ /dev/null @@ -1,8 +0,0 @@ -multi: -type: txt -help: Additional options for sshd_config - -create: sudo sed -i -e '$ a \ -$VAR(@)' /etc/ssh/sshd_config - -delete: sudo sed -i -e '/^$VAR(@)$/d' /etc/ssh/sshd_config -- cgit v1.2.3