summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/control4
-rw-r--r--interface-definitions/ssh.xml9
-rw-r--r--interface-definitions/wireguard.xml2
-rwxr-xr-xsrc/conf_mode/ssh.py57
4 files changed, 57 insertions, 15 deletions
diff --git a/debian/control b/debian/control
index 580c929bf..05b4f5320 100644
--- a/debian/control
+++ b/debian/control
@@ -9,7 +9,9 @@ Build-Depends: debhelper (>= 9),
quilt,
python3-lxml,
python3-nose,
- python3-coverage
+ python3-coverage,
+ whois,
+ libvyosconfig0
Standards-Version: 3.9.6
Package: vyos-1x
diff --git a/interface-definitions/ssh.xml b/interface-definitions/ssh.xml
index 35fe79214..422e6d64d 100644
--- a/interface-definitions/ssh.xml
+++ b/interface-definitions/ssh.xml
@@ -167,11 +167,20 @@
<format>1-65535</format>
<description>Numeric IP port</description>
</valueHelp>
+ <multi/>
<constraint>
<validator name="numeric" argument="--range 1-65535"/>
</constraint>
</properties>
</leafNode>
+ <leafNode name="client-keepalive-interval">
+ <properties>
+ <help>how often send keep alives in seconds</help>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
</children>
</node>
</children>
diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml
index 51876d6d6..e6bf557cd 100644
--- a/interface-definitions/wireguard.xml
+++ b/interface-definitions/wireguard.xml
@@ -29,7 +29,7 @@
</valueHelp>
<multi/>
<constraint>
- <validator name="ip-prefix"/>
+ <validator name="ip-host"/>
</constraint>
</properties>
</leafNode>
diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py
index beca7bb9a..b681acea3 100755
--- a/src/conf_mode/ssh.py
+++ b/src/conf_mode/ssh.py
@@ -67,7 +67,13 @@ UseDNS {{ host_validation }}
# Specifies the port number that sshd listens on. The default is 22.
# Multiple options of this type are permitted.
+{% if mport|length != 0 %}
+{% for p in mport %}
+Port {{ p }}
+{% endfor %}
+{% else %}
Port {{ port }}
+{% endif %}
# Gives the verbosity level that is used when logging messages from sshd
LogLevel {{ log_level }}
@@ -78,64 +84,80 @@ PermitRootLogin {{ allow_root }}
# Specifies whether password authentication is allowed
PasswordAuthentication {{ password_authentication }}
-{% if listen_on -%}
+{% if listen_on %}
# Specifies the local addresses sshd should listen on
-{% for a in listen_on -%}
+{% for a in listen_on %}
ListenAddress {{ a }}
-{% endfor -%}
+{% endfor %}
+{{ "\n" }}
{% endif %}
-{% if ciphers -%}
+{%- if ciphers %}
# Specifies the ciphers allowed. Multiple ciphers must be comma-separated.
#
# NOTE: As of now, there is no 'multi' node for 'ciphers', thus we have only one :/
Ciphers {{ ciphers | join(",") }}
+{{ "\n" }}
{% endif %}
-{% if mac -%}
+{%- if mac %}
# Specifies the available MAC (message authentication code) algorithms. The MAC
# algorithm is used for data integrity protection. Multiple algorithms must be
# comma-separated.
#
# NOTE: As of now, there is no 'multi' node for 'mac', thus we have only one :/
MACs {{ mac | join(",") }}
+{{ "\n" }}
{% endif %}
-{% if key_exchange -%}
+{%- if key_exchange %}
# Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must
# be comma-separated.
#
# NOTE: As of now, there is no 'multi' node for 'key-exchange', thus we have only one :/
KexAlgorithms {{ key_exchange | join(",") }}
+{{ "\n" }}
{% endif %}
-{% if allow_users -%}
+{%- if allow_users %}
# This keyword can be followed by a list of user name patterns, separated by spaces.
# If specified, login is allowed only for user names that match one of the patterns.
# Only user names are valid, a numerical user ID is not recognized.
AllowUsers {{ allow_users | join(" ") }}
+{{ "\n" }}
{% endif %}
-{% if allow_groups -%}
+{%- if allow_groups %}
# This keyword can be followed by a list of group name patterns, separated by spaces.
# If specified, login is allowed only for users whose primary group or supplementary
# group list matches one of the patterns. Only group names are valid, a numerical group
# ID is not recognized.
AllowGroups {{ allow_groups | join(" ") }}
+{{ "\n" }}
{% endif %}
-{% if deny_users -%}
+{%- if deny_users %}
# This keyword can be followed by a list of user name patterns, separated by spaces.
# Login is disallowed for user names that match one of the patterns. Only user names
# are valid, a numerical user ID is not recognized.
DenyUsers {{ deny_users | join(" ") }}
+{{ "\n" }}
{% endif %}
-{% if deny_groups -%}
+{%- if deny_groups %}
# This keyword can be followed by a list of group name patterns, separated by spaces.
# Login is disallowed for users whose primary group or supplementary group list matches
# one of the patterns. Only group names are valid, a numerical group ID is not recognized.
DenyGroups {{ deny_groups | join(" ") }}
+{{ "\n" }}
+{% endif %}
+
+{%- if client_keepalive %}
+# Sets a timeout interval in seconds after which if no data has been received from the client,
+# sshd will send a message through the encrypted channel to request a response from the client.
+# The default is 0, indicating that these messages will not be sent to the client.
+# This option applies to protocol version 2 only.
+ClientAliveInterval {{ client_keepalive }}
{% endif %}
"""
@@ -208,8 +230,17 @@ def get_config():
ssh['mac'] = mac
if conf.exists('port'):
- port = conf.return_value('port')
- ssh['port'] = port
+ ports = conf.return_values('port')
+ mport = []
+
+ for prt in ports:
+ mport.append(prt)
+
+ ssh['mport'] = mport
+
+ if conf.exists('client-keepalive-interval'):
+ client_keepalive = conf.return_value('client-keepalive-interval')
+ ssh['client_keepalive'] = client_keepalive
return ssh
@@ -228,7 +259,7 @@ def generate(ssh):
if ssh is None:
return None
- tmpl = jinja2.Template(config_tmpl)
+ tmpl = jinja2.Template(config_tmpl, trim_blocks=True)
config_text = tmpl.render(ssh)
with open(config_file, 'w') as f:
f.write(config_text)