summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--interface-definitions/ssh.xml69
-rwxr-xr-xsrc/conf-mode/vyos-config-dns-forwarding.py16
-rwxr-xr-xsrc/conf-mode/vyos-config-ssh.py88
3 files changed, 69 insertions, 104 deletions
diff --git a/interface-definitions/ssh.xml b/interface-definitions/ssh.xml
index ba5b887bc..dfae1d8ed 100644
--- a/interface-definitions/ssh.xml
+++ b/interface-definitions/ssh.xml
@@ -13,43 +13,50 @@
<children>
<node name="access-control">
<properties>
- <help>SSH user/group access controls. Directives are processed in this: deny-users, allow-users, deny-groups and allow-groups</help>
+ <help>SSH user/group access controls. Directives are processed in this: deny-users, allow-users, deny-groups and allow-groups</help>
</properties>
<children>
- <leafNode name="allow-groups">
- <properties>
- <help>Configure sshd_config access control for allowed groups</help>
- </properties>
- </leafNode>
- <leafNode name="allow-users">
- <properties>
- <help>Configure sshd_config access control for allowed users</help>
- </properties>
- </leafNode>
- <leafNode name="deny-groups">
- <properties>
- <help>Configure sshd_config access control for disallowed groups</help>
- </properties>
- </leafNode>
- <leafNode name="deny-users">
- <properties>
- <help>Configure sshd_config access control for disallowed users</help>
- </properties>
- </leafNode>
+ <node name="allow">
+ <children>
+ <leafNode name="group">
+ <properties>
+ <help>Login is allowed for users whose primary or supplementary group matches</help>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="user">
+ <properties>
+ <help>Login is allowed only for user names that match</help>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="deny">
+ <children>
+ <leafNode name="group">
+ <properties>
+ <help>Login is disallowed for users whose primary or supplementary group matches</help>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="user">
+ <properties>
+ <help>Login is disallowed for user names that match</help>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
</children>
</node>
- <leafNode name="allow-root">
- <properties>
- <help>Enable root login over ssh</help>
- <valueless/>
- </properties>
- </leafNode>
<leafNode name="ciphers">
<properties>
- <help>Allowed ciphers</help>
+ <help>Specifies allowed Ciphers</help>
<completionHelp>
<script>ssh -Q cipher | tr '\n' ' '</script>
</completionHelp>
+ <multi/>
</properties>
</leafNode>
<leafNode name="disable-host-validation">
@@ -66,10 +73,11 @@
</leafNode>
<leafNode name="key-exchange">
<properties>
- <help>Key exchange algorithms</help>
+ <help>Specifies available KEX (Key Exchange) algorithms</help>
<completionHelp>
<script>ssh -Q kex | tr '\n' ' '</script>
</completionHelp>
+ <multi/>
</properties>
</leafNode>
<leafNode name="listen-address">
@@ -117,10 +125,11 @@
</leafNode>
<leafNode name="mac">
<properties>
- <help>Allowed message authentication algorithms</help>
+ <help>Specifies available MAC (message authentication code) algorithms</help>
<completionHelp>
<script>ssh -Q mac | tr '\n' ' '</script>
</completionHelp>
+ <multi/>
</properties>
</leafNode>
<leafNode name="port">
diff --git a/src/conf-mode/vyos-config-dns-forwarding.py b/src/conf-mode/vyos-config-dns-forwarding.py
index 0d265f819..be48cde60 100755
--- a/src/conf-mode/vyos-config-dns-forwarding.py
+++ b/src/conf-mode/vyos-config-dns-forwarding.py
@@ -31,7 +31,6 @@ config_file = r'/etc/powerdns/recursor.conf'
# especially in the semicolon-separated lists of name servers.
# Please be careful if you edit the template.
config_tmpl = """
-
### Autogenerated by vyos-config-dns-forwarding.py ###
# Non-configurable defaults
@@ -47,19 +46,20 @@ max-cache-entries={{ cache_size }}
export-etc-hosts={{ export_hosts_file }}
# listen-on
-local-address= {{ listen_on | join(',') }}
+local-address={{ listen_on | join(',') }}
# domain ... server ...
{% if domains -%}
-{% for d in domains -%}
-forward-zones = {{ d.name }} = {{ d.servers | join(";") }}
-{% endfor -%}
+forward-zones={% for d in domains %}
+{{ d.name }}={{ d.servers | join(";") }}
+{%- if loop.first %}, {% endif %}
+{% endfor %}
{% endif %}
# name-server
-forward-zones-recurse=.= {{ name_servers | join(';') }}
+forward-zones-recurse=.={{ name_servers | join(';') }}
"""
@@ -113,7 +113,7 @@ def get_config():
if conf.exists('name-server'):
name_servers = conf.return_values('name-server')
- dns.setdefault('name_servers', name_servers)
+ dns['name_servers'] = dns['name_servers'] + name_servers
if conf.exists('system'):
conf.set_level('system')
@@ -185,7 +185,7 @@ def generate(dns):
if dns is None:
return None
- tmpl = jinja2.Template(config_tmpl)
+ tmpl = jinja2.Template(config_tmpl, trim_blocks=True)
config_text = tmpl.render(dns)
with open(config_file, 'w') as f:
diff --git a/src/conf-mode/vyos-config-ssh.py b/src/conf-mode/vyos-config-ssh.py
index 4949d6463..a4857bba9 100755
--- a/src/conf-mode/vyos-config-ssh.py
+++ b/src/conf-mode/vyos-config-ssh.py
@@ -59,6 +59,7 @@ Banner /etc/issue.net
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
HostKey /etc/ssh/ssh_host_key
+PermitRootLogin no
# Specifies whether sshd should look up the remote host name,
# and to check that the resolved host name for the remote IP
@@ -72,9 +73,6 @@ Port {{ port }}
# Gives the verbosity level that is used when logging messages from sshd
LogLevel {{ log_level }}
-# Specifies whether root can log in using ssh
-PermitRootLogin {{ allow_root }}
-
# Specifies whether password authentication is allowed
PasswordAuthentication {{ password_authentication }}
@@ -89,7 +87,7 @@ ListenAddress {{ a }}
# Specifies the ciphers allowed. Multiple ciphers must be comma-separated.
#
# NOTE: As of now, there is no 'multi' node for 'ciphers', thus we have only one :/
-Ciphers {{ ciphers }}
+Ciphers {{ ciphers | join(",") }}
{% endif %}
{% if mac -%}
@@ -98,7 +96,7 @@ Ciphers {{ ciphers }}
# comma-separated.
#
# NOTE: As of now, there is no 'multi' node for 'mac', thus we have only one :/
-MACs {{ mac }}
+MACs {{ mac | join(",") }}
{% endif %}
{% if key_exchange -%}
@@ -106,7 +104,7 @@ MACs {{ mac }}
# be comma-separated.
#
# NOTE: As of now, there is no 'multi' node for 'key-exchange', thus we have only one :/
-KexAlgorithms {{ key_exchange }}
+KexAlgorithms {{ key_exchange | join(",") }}
{% endif %}
{% if allow_users -%}
@@ -142,7 +140,6 @@ DenyGroups {{ deny_groups | join(" ") }}
default_config_data = {
'port' : '22',
'log_level': 'INFO',
- 'allow_root': 'no',
'password_authentication': 'yes',
'host_validation': 'yes'
}
@@ -155,61 +152,24 @@ def get_config():
else:
conf.set_level('service ssh')
- if conf.exists('access-control allow-users'):
- # Retrieve ',' separated list for allowed users and convert it to a list.
- # The current VyOS CLI implementation should be improved to rather use multi nodes
- # instead of a ',' separated input.
- allow_user = conf.return_value('access-control allow-users')
- tmp = allow_user.split(',')
- users = []
- for u in tmp:
- users.append(u)
-
- ssh.setdefault('allow_users', users)
-
- if conf.exists('access-control allow-groups'):
- # Retrieve ',' separated list for allowed groups and convert it to a list.
- # The current VyOS CLI implementation should be improved to rather use multi nodes
- # instead of a ',' separated input.
- allow_group = conf.return_value('access-control allow-groups')
- tmp = allow_group.split(',')
- groups = []
- for g in tmp:
- groups.append(g)
-
- ssh.setdefault('allow_groups', groups)
-
- if conf.exists('access-control deny-users'):
- # Retrieve ',' separated list for denied users and convert it to a list.
- # The current VyOS CLI implementation should be improved to rather use multi nodes
- # instead of a ',' separated input.
- deny_user = conf.return_value('access-control deny-users')
- tmp = deny_user.split(',')
- users = []
- for u in tmp:
- users.append(u)
-
- ssh.setdefault('deny_users', users)
-
- if conf.exists('access-control deny-groups'):
- # Retrieve ',' separated list for denied groups and convert it to a list.
- # The current VyOS CLI implementation should be improved to rather use multi nodes
- # instead of a ',' separated input.
- deny_group = conf.return_value('access-control deny-groups')
- tmp = deny_group.split(',')
- groups = []
- for g in tmp:
- groups.append(g)
-
- ssh.setdefault('deny_groups', groups)
-
- if conf.exists('allow-root'):
- ssh['allow-root'] = 'yes'
+ if conf.exists('access-control allow user'):
+ allow_users = conf.return_values('access-control allow user')
+ ssh.setdefault('allow_users', allow_users)
+
+ if conf.exists('access-control allow group'):
+ allow_groups = conf.return_values('access-control allow group')
+ ssh.setdefault('allow_groups', allow_groups)
+
+ if conf.exists('access-control deny user'):
+ deny_users = conf.return_values('access-control deny user')
+ ssh.setdefault('deny_users', deny_users)
+
+ if conf.exists('access-control deny group'):
+ deny_groups = conf.return_values('access-control deny group')
+ ssh.setdefault('deny_groups', deny_groups)
if conf.exists('ciphers'):
- # TODO: OpenSSH supports having multiple Ciphers configured. VyOS CLI
- # yet has no multi node for this. See T632 in phabricator.
- ciphers = conf.return_value('ciphers')
+ ciphers = conf.return_values('ciphers')
ssh.setdefault('ciphers', ciphers)
if conf.exists('disable-host-validation'):
@@ -219,9 +179,7 @@ def get_config():
ssh['password_authentication'] = 'no'
if conf.exists('key-exchange'):
- # TODO: OpenSSH supports having multiple KEYX methods configured. VyOS CLI
- # yet has no multi node for this. See T632 in phabricator.
- kex = conf.return_value('key-exchange')
+ kex = conf.return_values('key-exchange')
ssh.setdefault('key_exchange', kex)
if conf.exists('listen-address'):
@@ -240,9 +198,7 @@ def get_config():
ssh['log_level'] = conf.return_value('loglevel')
if conf.exists('mac'):
- # TODO: OpenSSH supports having multiple MACs configured. VyOS CLI
- # yet has no multi node for this. See T632 in phabricator.
- mac = conf.return_value('mac')
+ mac = conf.return_values('mac')
ssh.setdefault('mac', mac)
if conf.exists('port'):