diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-06-11 15:58:18 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-06-11 15:58:18 +0200 |
commit | 5deb12c509bea6e353c3b4c3174f040895646cf8 (patch) | |
tree | 0405621fdec0de0430bdf3bbe5b37b9aa9709701 | |
parent | c2c91c4a7c74c851236a40759fa56521f39cd2cc (diff) | |
download | vyos-1x-5deb12c509bea6e353c3b4c3174f040895646cf8.tar.gz vyos-1x-5deb12c509bea6e353c3b4c3174f040895646cf8.zip |
ssh: T2321: add VRF support
-rw-r--r-- | data/templates/ssh/override.conf.tmpl | 8 | ||||
-rw-r--r-- | data/templates/ssh/sshd_config.tmpl | 8 | ||||
-rw-r--r-- | interface-definitions/ssh.xml.in | 1 | ||||
-rwxr-xr-x | src/conf_mode/ssh.py | 18 |
4 files changed, 28 insertions, 7 deletions
diff --git a/data/templates/ssh/override.conf.tmpl b/data/templates/ssh/override.conf.tmpl new file mode 100644 index 000000000..1013d4b48 --- /dev/null +++ b/data/templates/ssh/override.conf.tmpl @@ -0,0 +1,8 @@ +[Service] +ExecStart= +{% if vrf %} +ExecStart=/sbin/ip vrf exec {{ vrf }} /usr/sbin/sshd -D $SSHD_OPTS +{% else %} +ExecStart=/usr/sbin/sshd -D $SSHD_OPTS +{% endif %} + diff --git a/data/templates/ssh/sshd_config.tmpl b/data/templates/ssh/sshd_config.tmpl index 949a8558f..08fe56655 100644 --- a/data/templates/ssh/sshd_config.tmpl +++ b/data/templates/ssh/sshd_config.tmpl @@ -28,15 +28,11 @@ UsePAM yes # address maps back to the very same IP address. UseDNS {{ host_validation }} -# Specifies the port number that sshd listens on. The default is 22. +# Specifies the port number that sshd listens on. The default is 22. # Multiple options of this type are permitted. -{% if mport|length != 0 %} -{% for p in mport %} +{% for p in port %} Port {{ p }} {% endfor %} -{% else %} -Port {{ port }} -{% endif %} # Gives the verbosity level that is used when logging messages from sshd LogLevel {{ log_level }} diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in index ea4202195..de926a897 100644 --- a/interface-definitions/ssh.xml.in +++ b/interface-definitions/ssh.xml.in @@ -175,6 +175,7 @@ </constraint> </properties> </leafNode> + #include <include/interface-vrf.xml.i> </children> </node> </children> diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py index 2cc823e21..5a0ae059b 100755 --- a/src/conf_mode/ssh.py +++ b/src/conf_mode/ssh.py @@ -15,6 +15,8 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os + +from netifaces import interfaces from sys import exit from vyos.config import Config @@ -26,12 +28,14 @@ from vyos import airbag airbag.enable() config_file = r'/etc/ssh/sshd_config' +systemd_override = r'/etc/systemd/system/ssh.service.d/override.conf' default_config_data = { 'port' : '22', 'log_level': 'INFO', 'password_authentication': 'yes', - 'host_validation': 'yes' + 'host_validation': 'yes', + 'vrf': '' } def get_config(): @@ -96,6 +100,9 @@ def get_config(): if conf.exists(tmp): ssh['client_keepalive'] = conf.return_value(tmp) + tmp = ['vrf'] + if conf.exists(tmp): + ssh['vrf'] = conf.return_value(tmp) return ssh @@ -108,6 +115,9 @@ def verify(ssh): if not ssh['loglevel'] in allowed_loglevel: raise ConfigError('loglevel must be one of "{0}"\n'.format(allowed_loglevel)) + if ssh['vrf'] and ssh['vrf'] not in interfaces(): + raise ConfigError('VRF "{vrf}" does not exist'.format(**ssh)) + return None def generate(ssh): @@ -115,6 +125,8 @@ def generate(ssh): return None render(config_file, 'ssh/sshd_config.tmpl', ssh, trim_blocks=True) + render(systemd_override, 'ssh/override.conf.tmpl', ssh, trim_blocks=True) + return None def apply(ssh): @@ -123,7 +135,11 @@ def apply(ssh): call('systemctl stop ssh.service') if os.path.isfile(config_file): os.unlink(config_file) + if os.path.isfile(systemd_override): + os.unlink(systemd_override) else: + # Reload systemd manager configuration + call('systemctl daemon-reload') call('systemctl restart ssh.service') return None |