summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-10-10 20:03:00 +0200
committerGitHub <noreply@github.com>2022-10-10 20:03:00 +0200
commit9769f25fdf3bde3775ed5a0108543dc6e89745cf (patch)
treea1e3d3df5aeff9483cae11449ac324ba914b8714
parentadc9af1983657589b95f8e42f83a8d02cc731402 (diff)
parentb9de775a5b4f017f9d164a127d93f55ce9053756 (diff)
downloadvyos-1x-9769f25fdf3bde3775ed5a0108543dc6e89745cf.tar.gz
vyos-1x-9769f25fdf3bde3775ed5a0108543dc6e89745cf.zip
Merge pull request #1563 from sever-sever/T4716
ssh: T4716: Ability to configure RekeyLimit data and time
-rw-r--r--data/templates/ssh/sshd_config.j24
-rw-r--r--interface-definitions/ssh.xml.in31
-rwxr-xr-xsrc/conf_mode/ssh.py3
3 files changed, 38 insertions, 0 deletions
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index e7dbca581..79b07478b 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -96,3 +96,7 @@ DenyGroups {{ access_control.deny.group | join(' ') }}
# sshd(8) will send a message through the encrypted channel to request a response from the client
ClientAliveInterval {{ client_keepalive_interval }}
{% endif %}
+
+{% if rekey.data is vyos_defined %}
+RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }}
+{% endif %}
diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in
index 126183162..f3c731fe5 100644
--- a/interface-definitions/ssh.xml.in
+++ b/interface-definitions/ssh.xml.in
@@ -206,6 +206,37 @@
</properties>
<defaultValue>22</defaultValue>
</leafNode>
+ <node name="rekey">
+ <properties>
+ <help>SSH session rekey limit</help>
+ </properties>
+ <children>
+ <leafNode name="data">
+ <properties>
+ <help>Threshold data in megabytes</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Megabytes</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="time">
+ <properties>
+ <help>Threshold time in minutes</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Minutes</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
<leafNode name="client-keepalive-interval">
<properties>
<help>Enable transmission of keepalives from server to client</help>
diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py
index 2bbd7142a..8746cc701 100755
--- a/src/conf_mode/ssh.py
+++ b/src/conf_mode/ssh.py
@@ -73,6 +73,9 @@ def verify(ssh):
if not ssh:
return None
+ if 'rekey' in ssh and 'data' not in ssh['rekey']:
+ raise ConfigError(f'Rekey data is required!')
+
verify_vrf(ssh)
return None