summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-06-11 15:58:18 +0200
committerChristian Poessinger <christian@poessinger.com>2020-06-11 15:58:18 +0200
commit5deb12c509bea6e353c3b4c3174f040895646cf8 (patch)
tree0405621fdec0de0430bdf3bbe5b37b9aa9709701
parentc2c91c4a7c74c851236a40759fa56521f39cd2cc (diff)
downloadvyos-1x-5deb12c509bea6e353c3b4c3174f040895646cf8.tar.gz
vyos-1x-5deb12c509bea6e353c3b4c3174f040895646cf8.zip
ssh: T2321: add VRF support
-rw-r--r--data/templates/ssh/override.conf.tmpl8
-rw-r--r--data/templates/ssh/sshd_config.tmpl8
-rw-r--r--interface-definitions/ssh.xml.in1
-rwxr-xr-xsrc/conf_mode/ssh.py18
4 files changed, 28 insertions, 7 deletions
diff --git a/data/templates/ssh/override.conf.tmpl b/data/templates/ssh/override.conf.tmpl
new file mode 100644
index 000000000..1013d4b48
--- /dev/null
+++ b/data/templates/ssh/override.conf.tmpl
@@ -0,0 +1,8 @@
+[Service]
+ExecStart=
+{% if vrf %}
+ExecStart=/sbin/ip vrf exec {{ vrf }} /usr/sbin/sshd -D $SSHD_OPTS
+{% else %}
+ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
+{% endif %}
+
diff --git a/data/templates/ssh/sshd_config.tmpl b/data/templates/ssh/sshd_config.tmpl
index 949a8558f..08fe56655 100644
--- a/data/templates/ssh/sshd_config.tmpl
+++ b/data/templates/ssh/sshd_config.tmpl
@@ -28,15 +28,11 @@ UsePAM yes
# address maps back to the very same IP address.
UseDNS {{ host_validation }}
-# Specifies the port number that sshd listens on. The default is 22.
+# Specifies the port number that sshd listens on. The default is 22.
# Multiple options of this type are permitted.
-{% if mport|length != 0 %}
-{% for p in mport %}
+{% for p in port %}
Port {{ p }}
{% endfor %}
-{% else %}
-Port {{ port }}
-{% endif %}
# Gives the verbosity level that is used when logging messages from sshd
LogLevel {{ log_level }}
diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in
index ea4202195..de926a897 100644
--- a/interface-definitions/ssh.xml.in
+++ b/interface-definitions/ssh.xml.in
@@ -175,6 +175,7 @@
</constraint>
</properties>
</leafNode>
+ #include <include/interface-vrf.xml.i>
</children>
</node>
</children>
diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py
index 2cc823e21..5a0ae059b 100755
--- a/src/conf_mode/ssh.py
+++ b/src/conf_mode/ssh.py
@@ -15,6 +15,8 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
+
+from netifaces import interfaces
from sys import exit
from vyos.config import Config
@@ -26,12 +28,14 @@ from vyos import airbag
airbag.enable()
config_file = r'/etc/ssh/sshd_config'
+systemd_override = r'/etc/systemd/system/ssh.service.d/override.conf'
default_config_data = {
'port' : '22',
'log_level': 'INFO',
'password_authentication': 'yes',
- 'host_validation': 'yes'
+ 'host_validation': 'yes',
+ 'vrf': ''
}
def get_config():
@@ -96,6 +100,9 @@ def get_config():
if conf.exists(tmp):
ssh['client_keepalive'] = conf.return_value(tmp)
+ tmp = ['vrf']
+ if conf.exists(tmp):
+ ssh['vrf'] = conf.return_value(tmp)
return ssh
@@ -108,6 +115,9 @@ def verify(ssh):
if not ssh['loglevel'] in allowed_loglevel:
raise ConfigError('loglevel must be one of "{0}"\n'.format(allowed_loglevel))
+ if ssh['vrf'] and ssh['vrf'] not in interfaces():
+ raise ConfigError('VRF "{vrf}" does not exist'.format(**ssh))
+
return None
def generate(ssh):
@@ -115,6 +125,8 @@ def generate(ssh):
return None
render(config_file, 'ssh/sshd_config.tmpl', ssh, trim_blocks=True)
+ render(systemd_override, 'ssh/override.conf.tmpl', ssh, trim_blocks=True)
+
return None
def apply(ssh):
@@ -123,7 +135,11 @@ def apply(ssh):
call('systemctl stop ssh.service')
if os.path.isfile(config_file):
os.unlink(config_file)
+ if os.path.isfile(systemd_override):
+ os.unlink(systemd_override)
else:
+ # Reload systemd manager configuration
+ call('systemctl daemon-reload')
call('systemctl restart ssh.service')
return None