diff options
| author | Christian Poessinger <christian@poessinger.com> | 2018-05-13 14:10:15 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2018-05-14 11:30:22 +0200 |
| commit | c5774b1dacb5c4bc67d2bf6f63ed92a296923220 (patch) | |
| tree | 7ccee5fa962062a9aed930a1225c042191c3d7fa | |
| parent | 860b229fe00998d2dd2d020d7dc847f99e709c26 (diff) | |
| download | vyos-1x-c5774b1dacb5c4bc67d2bf6f63ed92a296923220.tar.gz vyos-1x-c5774b1dacb5c4bc67d2bf6f63ed92a296923220.zip | |
T632: use multi node for SSH allow/deny users and groups
| -rw-r--r-- | interface-definitions/ssh.xml | 54 | ||||
| -rwxr-xr-x | src/conf-mode/vyos-config-ssh.py | 62 |
2 files changed, 48 insertions, 68 deletions
diff --git a/interface-definitions/ssh.xml b/interface-definitions/ssh.xml index f898f3934..7b16939c6 100644 --- a/interface-definitions/ssh.xml +++ b/interface-definitions/ssh.xml @@ -13,29 +13,41 @@ <children> <node name="access-control"> <properties> - <help>SSH user/group access controls. Directives are processed in this: deny-users, allow-users, deny-groups and allow-groups</help> + <help>SSH user/group access controls. Directives are processed in this: deny-users, allow-users, deny-groups and allow-groups</help> </properties> <children> - <leafNode name="allow-groups"> - <properties> - <help>Configure sshd_config access control for allowed groups</help> - </properties> - </leafNode> - <leafNode name="allow-users"> - <properties> - <help>Configure sshd_config access control for allowed users</help> - </properties> - </leafNode> - <leafNode name="deny-groups"> - <properties> - <help>Configure sshd_config access control for disallowed groups</help> - </properties> - </leafNode> - <leafNode name="deny-users"> - <properties> - <help>Configure sshd_config access control for disallowed users</help> - </properties> - </leafNode> + <node name="allow"> + <children> + <leafNode name="group"> + <properties> + <help>Login is allowed for users whose primary or supplementary group matches</help> + <multi/> + </properties> + </leafNode> + <leafNode name="user"> + <properties> + <help>Login is allowed only for user names that match</help> + <multi/> + </properties> + </leafNode> + </children> + </node> + <node name="deny"> + <children> + <leafNode name="group"> + <properties> + <help>Login is disallowed for users whose primary or supplementary group matches</help> + <multi/> + </properties> + </leafNode> + <leafNode name="user"> + <properties> + <help>Login is disallowed for user names that match</help> + <multi/> + </properties> + </leafNode> + </children> + </node> </children> </node> <leafNode name="allow-root"> diff --git a/src/conf-mode/vyos-config-ssh.py b/src/conf-mode/vyos-config-ssh.py index 1605dcd74..e7528ae83 100755 --- a/src/conf-mode/vyos-config-ssh.py +++ b/src/conf-mode/vyos-config-ssh.py @@ -155,53 +155,21 @@ def get_config(): else: conf.set_level('service ssh') - if conf.exists('access-control allow-users'): - # Retrieve ',' separated list for allowed users and convert it to a list. - # The current VyOS CLI implementation should be improved to rather use multi nodes - # instead of a ',' separated input. - allow_user = conf.return_value('access-control allow-users') - tmp = allow_user.split(',') - users = [] - for u in tmp: - users.append(u) - - ssh.setdefault('allow_users', users) - - if conf.exists('access-control allow-groups'): - # Retrieve ',' separated list for allowed groups and convert it to a list. - # The current VyOS CLI implementation should be improved to rather use multi nodes - # instead of a ',' separated input. - allow_group = conf.return_value('access-control allow-groups') - tmp = allow_group.split(',') - groups = [] - for g in tmp: - groups.append(g) - - ssh.setdefault('allow_groups', groups) - - if conf.exists('access-control deny-users'): - # Retrieve ',' separated list for denied users and convert it to a list. - # The current VyOS CLI implementation should be improved to rather use multi nodes - # instead of a ',' separated input. - deny_user = conf.return_value('access-control deny-users') - tmp = deny_user.split(',') - users = [] - for u in tmp: - users.append(u) - - ssh.setdefault('deny_users', users) - - if conf.exists('access-control deny-groups'): - # Retrieve ',' separated list for denied groups and convert it to a list. - # The current VyOS CLI implementation should be improved to rather use multi nodes - # instead of a ',' separated input. - deny_group = conf.return_value('access-control deny-groups') - tmp = deny_group.split(',') - groups = [] - for g in tmp: - groups.append(g) - - ssh.setdefault('deny_groups', groups) + if conf.exists('access-control allow user'): + allow_users = conf.return_values('access-control allow user') + ssh.setdefault('allow_users', allow_users) + + if conf.exists('access-control allow group'): + allow_groups = conf.return_values('access-control allow group') + ssh.setdefault('allow_groups', allow_groups) + + if conf.exists('access-control deny user'): + deny_users = conf.return_values('access-control deny user') + ssh.setdefault('deny_users', deny_users) + + if conf.exists('access-control deny group'): + deny_groups = conf.return_values('access-control deny group') + ssh.setdefault('deny_groups', deny_groups) if conf.exists('allow-root'): ssh['allow-root'] = 'yes' |