diff options
-rw-r--r-- | interface-definitions/ssh.xml | 69 | ||||
-rwxr-xr-x | src/conf-mode/vyos-config-dns-forwarding.py | 16 | ||||
-rwxr-xr-x | src/conf-mode/vyos-config-ssh.py | 88 |
3 files changed, 69 insertions, 104 deletions
diff --git a/interface-definitions/ssh.xml b/interface-definitions/ssh.xml index ba5b887bc..dfae1d8ed 100644 --- a/interface-definitions/ssh.xml +++ b/interface-definitions/ssh.xml @@ -13,43 +13,50 @@ <children> <node name="access-control"> <properties> - <help>SSH user/group access controls. Directives are processed in this: deny-users, allow-users, deny-groups and allow-groups</help> + <help>SSH user/group access controls. Directives are processed in this: deny-users, allow-users, deny-groups and allow-groups</help> </properties> <children> - <leafNode name="allow-groups"> - <properties> - <help>Configure sshd_config access control for allowed groups</help> - </properties> - </leafNode> - <leafNode name="allow-users"> - <properties> - <help>Configure sshd_config access control for allowed users</help> - </properties> - </leafNode> - <leafNode name="deny-groups"> - <properties> - <help>Configure sshd_config access control for disallowed groups</help> - </properties> - </leafNode> - <leafNode name="deny-users"> - <properties> - <help>Configure sshd_config access control for disallowed users</help> - </properties> - </leafNode> + <node name="allow"> + <children> + <leafNode name="group"> + <properties> + <help>Login is allowed for users whose primary or supplementary group matches</help> + <multi/> + </properties> + </leafNode> + <leafNode name="user"> + <properties> + <help>Login is allowed only for user names that match</help> + <multi/> + </properties> + </leafNode> + </children> + </node> + <node name="deny"> + <children> + <leafNode name="group"> + <properties> + <help>Login is disallowed for users whose primary or supplementary group matches</help> + <multi/> + </properties> + </leafNode> + <leafNode name="user"> + <properties> + <help>Login is disallowed for user names that match</help> + <multi/> + </properties> + </leafNode> + </children> + </node> </children> </node> - <leafNode name="allow-root"> - <properties> - <help>Enable root login over ssh</help> - <valueless/> - </properties> - </leafNode> <leafNode name="ciphers"> <properties> - <help>Allowed ciphers</help> + <help>Specifies allowed Ciphers</help> <completionHelp> <script>ssh -Q cipher | tr '\n' ' '</script> </completionHelp> + <multi/> </properties> </leafNode> <leafNode name="disable-host-validation"> @@ -66,10 +73,11 @@ </leafNode> <leafNode name="key-exchange"> <properties> - <help>Key exchange algorithms</help> + <help>Specifies available KEX (Key Exchange) algorithms</help> <completionHelp> <script>ssh -Q kex | tr '\n' ' '</script> </completionHelp> + <multi/> </properties> </leafNode> <leafNode name="listen-address"> @@ -117,10 +125,11 @@ </leafNode> <leafNode name="mac"> <properties> - <help>Allowed message authentication algorithms</help> + <help>Specifies available MAC (message authentication code) algorithms</help> <completionHelp> <script>ssh -Q mac | tr '\n' ' '</script> </completionHelp> + <multi/> </properties> </leafNode> <leafNode name="port"> diff --git a/src/conf-mode/vyos-config-dns-forwarding.py b/src/conf-mode/vyos-config-dns-forwarding.py index 0d265f819..be48cde60 100755 --- a/src/conf-mode/vyos-config-dns-forwarding.py +++ b/src/conf-mode/vyos-config-dns-forwarding.py @@ -31,7 +31,6 @@ config_file = r'/etc/powerdns/recursor.conf' # especially in the semicolon-separated lists of name servers. # Please be careful if you edit the template. config_tmpl = """ - ### Autogenerated by vyos-config-dns-forwarding.py ### # Non-configurable defaults @@ -47,19 +46,20 @@ max-cache-entries={{ cache_size }} export-etc-hosts={{ export_hosts_file }} # listen-on -local-address= {{ listen_on | join(',') }} +local-address={{ listen_on | join(',') }} # domain ... server ... {% if domains -%} -{% for d in domains -%} -forward-zones = {{ d.name }} = {{ d.servers | join(";") }} -{% endfor -%} +forward-zones={% for d in domains %} +{{ d.name }}={{ d.servers | join(";") }} +{%- if loop.first %}, {% endif %} +{% endfor %} {% endif %} # name-server -forward-zones-recurse=.= {{ name_servers | join(';') }} +forward-zones-recurse=.={{ name_servers | join(';') }} """ @@ -113,7 +113,7 @@ def get_config(): if conf.exists('name-server'): name_servers = conf.return_values('name-server') - dns.setdefault('name_servers', name_servers) + dns['name_servers'] = dns['name_servers'] + name_servers if conf.exists('system'): conf.set_level('system') @@ -185,7 +185,7 @@ def generate(dns): if dns is None: return None - tmpl = jinja2.Template(config_tmpl) + tmpl = jinja2.Template(config_tmpl, trim_blocks=True) config_text = tmpl.render(dns) with open(config_file, 'w') as f: diff --git a/src/conf-mode/vyos-config-ssh.py b/src/conf-mode/vyos-config-ssh.py index 4949d6463..a4857bba9 100755 --- a/src/conf-mode/vyos-config-ssh.py +++ b/src/conf-mode/vyos-config-ssh.py @@ -59,6 +59,7 @@ Banner /etc/issue.net Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes HostKey /etc/ssh/ssh_host_key +PermitRootLogin no # Specifies whether sshd should look up the remote host name, # and to check that the resolved host name for the remote IP @@ -72,9 +73,6 @@ Port {{ port }} # Gives the verbosity level that is used when logging messages from sshd LogLevel {{ log_level }} -# Specifies whether root can log in using ssh -PermitRootLogin {{ allow_root }} - # Specifies whether password authentication is allowed PasswordAuthentication {{ password_authentication }} @@ -89,7 +87,7 @@ ListenAddress {{ a }} # Specifies the ciphers allowed. Multiple ciphers must be comma-separated. # # NOTE: As of now, there is no 'multi' node for 'ciphers', thus we have only one :/ -Ciphers {{ ciphers }} +Ciphers {{ ciphers | join(",") }} {% endif %} {% if mac -%} @@ -98,7 +96,7 @@ Ciphers {{ ciphers }} # comma-separated. # # NOTE: As of now, there is no 'multi' node for 'mac', thus we have only one :/ -MACs {{ mac }} +MACs {{ mac | join(",") }} {% endif %} {% if key_exchange -%} @@ -106,7 +104,7 @@ MACs {{ mac }} # be comma-separated. # # NOTE: As of now, there is no 'multi' node for 'key-exchange', thus we have only one :/ -KexAlgorithms {{ key_exchange }} +KexAlgorithms {{ key_exchange | join(",") }} {% endif %} {% if allow_users -%} @@ -142,7 +140,6 @@ DenyGroups {{ deny_groups | join(" ") }} default_config_data = { 'port' : '22', 'log_level': 'INFO', - 'allow_root': 'no', 'password_authentication': 'yes', 'host_validation': 'yes' } @@ -155,61 +152,24 @@ def get_config(): else: conf.set_level('service ssh') - if conf.exists('access-control allow-users'): - # Retrieve ',' separated list for allowed users and convert it to a list. - # The current VyOS CLI implementation should be improved to rather use multi nodes - # instead of a ',' separated input. - allow_user = conf.return_value('access-control allow-users') - tmp = allow_user.split(',') - users = [] - for u in tmp: - users.append(u) - - ssh.setdefault('allow_users', users) - - if conf.exists('access-control allow-groups'): - # Retrieve ',' separated list for allowed groups and convert it to a list. - # The current VyOS CLI implementation should be improved to rather use multi nodes - # instead of a ',' separated input. - allow_group = conf.return_value('access-control allow-groups') - tmp = allow_group.split(',') - groups = [] - for g in tmp: - groups.append(g) - - ssh.setdefault('allow_groups', groups) - - if conf.exists('access-control deny-users'): - # Retrieve ',' separated list for denied users and convert it to a list. - # The current VyOS CLI implementation should be improved to rather use multi nodes - # instead of a ',' separated input. - deny_user = conf.return_value('access-control deny-users') - tmp = deny_user.split(',') - users = [] - for u in tmp: - users.append(u) - - ssh.setdefault('deny_users', users) - - if conf.exists('access-control deny-groups'): - # Retrieve ',' separated list for denied groups and convert it to a list. - # The current VyOS CLI implementation should be improved to rather use multi nodes - # instead of a ',' separated input. - deny_group = conf.return_value('access-control deny-groups') - tmp = deny_group.split(',') - groups = [] - for g in tmp: - groups.append(g) - - ssh.setdefault('deny_groups', groups) - - if conf.exists('allow-root'): - ssh['allow-root'] = 'yes' + if conf.exists('access-control allow user'): + allow_users = conf.return_values('access-control allow user') + ssh.setdefault('allow_users', allow_users) + + if conf.exists('access-control allow group'): + allow_groups = conf.return_values('access-control allow group') + ssh.setdefault('allow_groups', allow_groups) + + if conf.exists('access-control deny user'): + deny_users = conf.return_values('access-control deny user') + ssh.setdefault('deny_users', deny_users) + + if conf.exists('access-control deny group'): + deny_groups = conf.return_values('access-control deny group') + ssh.setdefault('deny_groups', deny_groups) if conf.exists('ciphers'): - # TODO: OpenSSH supports having multiple Ciphers configured. VyOS CLI - # yet has no multi node for this. See T632 in phabricator. - ciphers = conf.return_value('ciphers') + ciphers = conf.return_values('ciphers') ssh.setdefault('ciphers', ciphers) if conf.exists('disable-host-validation'): @@ -219,9 +179,7 @@ def get_config(): ssh['password_authentication'] = 'no' if conf.exists('key-exchange'): - # TODO: OpenSSH supports having multiple KEYX methods configured. VyOS CLI - # yet has no multi node for this. See T632 in phabricator. - kex = conf.return_value('key-exchange') + kex = conf.return_values('key-exchange') ssh.setdefault('key_exchange', kex) if conf.exists('listen-address'): @@ -240,9 +198,7 @@ def get_config(): ssh['log_level'] = conf.return_value('loglevel') if conf.exists('mac'): - # TODO: OpenSSH supports having multiple MACs configured. VyOS CLI - # yet has no multi node for this. See T632 in phabricator. - mac = conf.return_value('mac') + mac = conf.return_values('mac') ssh.setdefault('mac', mac) if conf.exists('port'): |