2 files changed, 48 insertions, 68 deletions

diff --git a/interface-definitions/ssh.xml b/interface-definitions/ssh.xml
index f898f3934..7b16939c6 100644
--- a/interface-definitions/ssh.xml
+++ b/interface-definitions/ssh.xml
@@ -13,29 +13,41 @@
         <children>
           <node name="access-control">
             <properties>
-                <help>SSH user/group access controls. Directives are processed in this: deny-users, allow-users, deny-groups and allow-groups</help>
+              <help>SSH user/group access controls. Directives are processed in this: deny-users, allow-users, deny-groups and allow-groups</help>
             </properties>
             <children>
-              <leafNode name="allow-groups">
-                <properties>
-                  <help>Configure sshd_config access control for allowed groups</help>
-                </properties>
-              </leafNode>
-              <leafNode name="allow-users">
-                <properties>
-                  <help>Configure sshd_config access control for allowed users</help>
-                </properties>
-              </leafNode>
-              <leafNode name="deny-groups">
-                <properties>
-                  <help>Configure sshd_config access control for disallowed groups</help>
-                </properties>
-              </leafNode>
-              <leafNode name="deny-users">
-                <properties>
-                  <help>Configure sshd_config access control for disallowed users</help>
-                </properties>
-              </leafNode>
+              <node name="allow">
+                <children>
+                  <leafNode name="group">
+                    <properties>
+                      <help>Login is allowed for users whose primary or supplementary group matches</help>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="user">
+                    <properties>
+                      <help>Login is allowed only for user names that match</help>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+              <node name="deny">
+                <children>
+                  <leafNode name="group">
+                    <properties>
+                      <help>Login is disallowed for users whose primary or supplementary group matches</help>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="user">
+                    <properties>
+                      <help>Login is disallowed for user names that match</help>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
             </children>
           </node>
           <leafNode name="allow-root">
diff --git a/src/conf-mode/vyos-config-ssh.py b/src/conf-mode/vyos-config-ssh.py
index 1605dcd74..e7528ae83 100755
--- a/src/conf-mode/vyos-config-ssh.py
+++ b/src/conf-mode/vyos-config-ssh.py
@@ -155,53 +155,21 @@ def get_config():
     else:
         conf.set_level('service ssh')
 
-    if conf.exists('access-control allow-users'):
-        # Retrieve ',' separated list for allowed users and convert it to a list.
-        # The current VyOS CLI implementation should be improved to rather use multi nodes
-        # instead of a ',' separated input.
-        allow_user = conf.return_value('access-control allow-users')
-        tmp = allow_user.split(',')
-        users = []
-        for u in tmp:
-            users.append(u)
-
-        ssh.setdefault('allow_users', users)
-
-    if conf.exists('access-control allow-groups'):
-        # Retrieve ',' separated list for allowed groups and convert it to a list.
-        # The current VyOS CLI implementation should be improved to rather use multi nodes
-        # instead of a ',' separated input.
-        allow_group = conf.return_value('access-control allow-groups')
-        tmp = allow_group.split(',')
-        groups = []
-        for g in tmp:
-            groups.append(g)
-
-        ssh.setdefault('allow_groups', groups)
-
-    if conf.exists('access-control deny-users'):
-        # Retrieve ',' separated list for denied users and convert it to a list.
-        # The current VyOS CLI implementation should be improved to rather use multi nodes
-        # instead of a ',' separated input.
-        deny_user = conf.return_value('access-control deny-users')
-        tmp = deny_user.split(',')
-        users = []
-        for u in tmp:
-            users.append(u)
-
-        ssh.setdefault('deny_users', users)
-
-    if conf.exists('access-control deny-groups'):
-        # Retrieve ',' separated list for denied groups and convert it to a list.
-        # The current VyOS CLI implementation should be improved to rather use multi nodes
-        # instead of a ',' separated input.
-        deny_group = conf.return_value('access-control deny-groups')
-        tmp = deny_group.split(',')
-        groups = []
-        for g in tmp:
-            groups.append(g)
-
-        ssh.setdefault('deny_groups', groups)
+    if conf.exists('access-control allow user'):
+        allow_users = conf.return_values('access-control allow user')
+        ssh.setdefault('allow_users', allow_users)
+
+    if conf.exists('access-control allow group'):
+        allow_groups = conf.return_values('access-control allow group')
+        ssh.setdefault('allow_groups', allow_groups)
+
+    if conf.exists('access-control deny user'):
+        deny_users = conf.return_values('access-control deny user')
+        ssh.setdefault('deny_users', deny_users)
+
+    if conf.exists('access-control deny group'):
+        deny_groups = conf.return_values('access-control deny group')
+        ssh.setdefault('deny_groups', deny_groups)
 
     if conf.exists('allow-root'):
         ssh['allow-root'] = 'yes'