diff options
| author | Christian Poessinger <christian@poessinger.com> | 2022-10-10 20:03:00 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-10 20:03:00 +0200 |
| commit | 9769f25fdf3bde3775ed5a0108543dc6e89745cf (patch) | |
| tree | a1e3d3df5aeff9483cae11449ac324ba914b8714 | |
| parent | adc9af1983657589b95f8e42f83a8d02cc731402 (diff) | |
| parent | b9de775a5b4f017f9d164a127d93f55ce9053756 (diff) | |
| download | vyos-1x-9769f25fdf3bde3775ed5a0108543dc6e89745cf.tar.gz vyos-1x-9769f25fdf3bde3775ed5a0108543dc6e89745cf.zip | |
Merge pull request #1563 from sever-sever/T4716
ssh: T4716: Ability to configure RekeyLimit data and time
| -rw-r--r-- | data/templates/ssh/sshd_config.j2 | 4 | ||||
| -rw-r--r-- | interface-definitions/ssh.xml.in | 31 | ||||
| -rwxr-xr-x | src/conf_mode/ssh.py | 3 |
3 files changed, 38 insertions, 0 deletions
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 index e7dbca581..79b07478b 100644 --- a/data/templates/ssh/sshd_config.j2 +++ b/data/templates/ssh/sshd_config.j2 @@ -96,3 +96,7 @@ DenyGroups {{ access_control.deny.group | join(' ') }} # sshd(8) will send a message through the encrypted channel to request a response from the client ClientAliveInterval {{ client_keepalive_interval }} {% endif %} + +{% if rekey.data is vyos_defined %} +RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }} +{% endif %} diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in index 126183162..f3c731fe5 100644 --- a/interface-definitions/ssh.xml.in +++ b/interface-definitions/ssh.xml.in @@ -206,6 +206,37 @@ </properties> <defaultValue>22</defaultValue> </leafNode> + <node name="rekey"> + <properties> + <help>SSH session rekey limit</help> + </properties> + <children> + <leafNode name="data"> + <properties> + <help>Threshold data in megabytes</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Megabytes</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + </leafNode> + <leafNode name="time"> + <properties> + <help>Threshold time in minutes</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Minutes</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + </leafNode> + </children> + </node> <leafNode name="client-keepalive-interval"> <properties> <help>Enable transmission of keepalives from server to client</help> diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py index 2bbd7142a..8746cc701 100755 --- a/src/conf_mode/ssh.py +++ b/src/conf_mode/ssh.py @@ -73,6 +73,9 @@ def verify(ssh): if not ssh: return None + if 'rekey' in ssh and 'data' not in ssh['rekey']: + raise ConfigError(f'Rekey data is required!') + verify_vrf(ssh) return None |