diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-05-20 19:54:59 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-05-29 13:57:48 +0200 |
| commit | d2745a7b60a7fef88958bd52b3876c105da87e77 (patch) | |
| tree | ed51526efd8c5cf2497b9d34bb0cbe2261e2f956 | |
| parent | 81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2 (diff) | |
| download | vyos-1x-d2745a7b60a7fef88958bd52b3876c105da87e77.tar.gz vyos-1x-d2745a7b60a7fef88958bd52b3876c105da87e77.zip | |
pki: T6013: add proper dependencies for SSH CA
We need to establish proper dependencies on "system login" and "pki ca" for
the SSH subsystem. If the CA is updated or user principal names are modified,
we must also ensure that the SSH daemon is restarted accordingly.
| -rw-r--r-- | data/config-mode-dependencies/vyos-1x.json | 4 | ||||
| -rwxr-xr-x | src/conf_mode/pki.py | 4 | ||||
| -rwxr-xr-x | src/conf_mode/system_login.py | 4 |
3 files changed, 12 insertions, 0 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json index 7506a0908..ccfc022f4 100644 --- a/data/config-mode-dependencies/vyos-1x.json +++ b/data/config-mode-dependencies/vyos-1x.json @@ -34,6 +34,7 @@ "ipsec": ["vpn_ipsec"], "openconnect": ["vpn_openconnect"], "rpki": ["protocols_rpki"], + "ssh": ["service_ssh"], "sstp": ["vpn_sstp"], "sstpc": ["interfaces_sstpc"], "stunnel": ["service_stunnel"] @@ -73,6 +74,9 @@ "system_ipv6": { "sysctl": ["system_sysctl"] }, + "system_login": { + "ssh": ["service_ssh"] + }, "system_option": { "ip_ipv6": ["system_ip", "system_ipv6"], "sysctl": ["system_sysctl"] diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py index 869518dd9..14fe86d56 100755 --- a/src/conf_mode/pki.py +++ b/src/conf_mode/pki.py @@ -64,6 +64,10 @@ sync_search = [ 'path': ['service', 'https'], }, { + 'keys': ['ca_certificate'], + 'path': ['service', 'ssh'], + }, + { 'keys': ['certificate', 'ca_certificate'], 'path': ['interfaces', 'ethernet'], }, diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index fa866c0ce..481fdd16e 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -26,6 +26,8 @@ from time import sleep from vyos.base import Warning from vyos.config import Config +from vyos.configdep import set_dependents +from vyos.configdep import call_dependents from vyos.configverify import verify_vrf from vyos.template import render from vyos.template import is_ipv4 @@ -129,6 +131,7 @@ def get_config(config=None): max_uid=MIN_TACACS_UID) + cli_users login['tacacs_min_uid'] = MIN_TACACS_UID + set_dependents('ssh', conf) return login def verify(login): @@ -433,6 +436,7 @@ def apply(login): if enable_otp: cmd('pam-auth-update --enable mfa-google-authenticator') + call_dependents() return None |