summaryrefslogtreecommitdiff
path: root/src/conf-mode/vyos-config-ssh.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf-mode/vyos-config-ssh.py')
-rwxr-xr-xsrc/conf-mode/vyos-config-ssh.py249
1 files changed, 0 insertions, 249 deletions
diff --git a/src/conf-mode/vyos-config-ssh.py b/src/conf-mode/vyos-config-ssh.py
deleted file mode 100755
index a4857bba9..000000000
--- a/src/conf-mode/vyos-config-ssh.py
+++ /dev/null
@@ -1,249 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2018 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-#
-
-import sys
-import os
-
-import jinja2
-
-from vyos.config import Config
-from vyos import ConfigError
-
-config_file = r'/etc/ssh/sshd_config'
-
-# Please be careful if you edit the template.
-config_tmpl = """
-
-### Autogenerated by vyos-config-ssh.py ###
-
-# Non-configurable defaults
-Protocol 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
-UsePrivilegeSeparation yes
-KeyRegenerationInterval 3600
-ServerKeyBits 1024
-SyslogFacility AUTH
-LoginGraceTime 120
-StrictModes yes
-RSAAuthentication yes
-PubkeyAuthentication yes
-IgnoreRhosts yes
-RhostsRSAAuthentication no
-HostbasedAuthentication no
-PermitEmptyPasswords no
-ChallengeResponseAuthentication no
-X11Forwarding yes
-X11DisplayOffset 10
-PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-Banner /etc/issue.net
-Subsystem sftp /usr/lib/openssh/sftp-server
-UsePAM yes
-HostKey /etc/ssh/ssh_host_key
-PermitRootLogin no
-
-# Specifies whether sshd should look up the remote host name,
-# and to check that the resolved host name for the remote IP
-# address maps back to the very same IP address.
-UseDNS {{ host_validation }}
-
-# Specifies the port number that sshd listens on. The default is 22.
-# Multiple options of this type are permitted.
-Port {{ port }}
-
-# Gives the verbosity level that is used when logging messages from sshd
-LogLevel {{ log_level }}
-
-# Specifies whether password authentication is allowed
-PasswordAuthentication {{ password_authentication }}
-
-{% if listen_on -%}
-# Specifies the local addresses sshd should listen on
-{% for a in listen_on -%}
-ListenAddress {{ a }}
-{% endfor -%}
-{% endif %}
-
-{% if ciphers -%}
-# Specifies the ciphers allowed. Multiple ciphers must be comma-separated.
-#
-# NOTE: As of now, there is no 'multi' node for 'ciphers', thus we have only one :/
-Ciphers {{ ciphers | join(",") }}
-{% endif %}
-
-{% if mac -%}
-# Specifies the available MAC (message authentication code) algorithms. The MAC
-# algorithm is used for data integrity protection. Multiple algorithms must be
-# comma-separated.
-#
-# NOTE: As of now, there is no 'multi' node for 'mac', thus we have only one :/
-MACs {{ mac | join(",") }}
-{% endif %}
-
-{% if key_exchange -%}
-# Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must
-# be comma-separated.
-#
-# NOTE: As of now, there is no 'multi' node for 'key-exchange', thus we have only one :/
-KexAlgorithms {{ key_exchange | join(",") }}
-{% endif %}
-
-{% if allow_users -%}
-# This keyword can be followed by a list of user name patterns, separated by spaces.
-# If specified, login is allowed only for user names that match one of the patterns.
-# Only user names are valid, a numerical user ID is not recognized.
-AllowUsers {{ allow_users | join(" ") }}
-{% endif %}
-
-{% if allow_groups -%}
-# This keyword can be followed by a list of group name patterns, separated by spaces.
-# If specified, login is allowed only for users whose primary group or supplementary
-# group list matches one of the patterns. Only group names are valid, a numerical group
-# ID is not recognized.
-AllowGroups {{ allow_groups | join(" ") }}
-{% endif %}
-
-{% if deny_users -%}
-# This keyword can be followed by a list of user name patterns, separated by spaces.
-# Login is disallowed for user names that match one of the patterns. Only user names
-# are valid, a numerical user ID is not recognized.
-DenyUsers {{ deny_users | join(" ") }}
-{% endif %}
-
-{% if deny_groups -%}
-# This keyword can be followed by a list of group name patterns, separated by spaces.
-# Login is disallowed for users whose primary group or supplementary group list matches
-# one of the patterns. Only group names are valid, a numerical group ID is not recognized.
-DenyGroups {{ deny_groups | join(" ") }}
-{% endif %}
-"""
-
-default_config_data = {
- 'port' : '22',
- 'log_level': 'INFO',
- 'password_authentication': 'yes',
- 'host_validation': 'yes'
-}
-
-def get_config():
- ssh = default_config_data
- conf = Config()
- if not conf.exists('service ssh'):
- return None
- else:
- conf.set_level('service ssh')
-
- if conf.exists('access-control allow user'):
- allow_users = conf.return_values('access-control allow user')
- ssh.setdefault('allow_users', allow_users)
-
- if conf.exists('access-control allow group'):
- allow_groups = conf.return_values('access-control allow group')
- ssh.setdefault('allow_groups', allow_groups)
-
- if conf.exists('access-control deny user'):
- deny_users = conf.return_values('access-control deny user')
- ssh.setdefault('deny_users', deny_users)
-
- if conf.exists('access-control deny group'):
- deny_groups = conf.return_values('access-control deny group')
- ssh.setdefault('deny_groups', deny_groups)
-
- if conf.exists('ciphers'):
- ciphers = conf.return_values('ciphers')
- ssh.setdefault('ciphers', ciphers)
-
- if conf.exists('disable-host-validation'):
- ssh['host_validation'] = 'no'
-
- if conf.exists('disable-password-authentication'):
- ssh['password_authentication'] = 'no'
-
- if conf.exists('key-exchange'):
- kex = conf.return_values('key-exchange')
- ssh.setdefault('key_exchange', kex)
-
- if conf.exists('listen-address'):
- # We can listen on both IPv4 and IPv6 addresses
- # Maybe there could be a check in the future if the configured IP address
- # is configured on this system at all?
- addresses = conf.return_values('listen-address')
- listen = []
-
- for addr in addresses:
- listen.append(addr)
-
- ssh.setdefault('listen_on', listen)
-
- if conf.exists('loglevel'):
- ssh['log_level'] = conf.return_value('loglevel')
-
- if conf.exists('mac'):
- mac = conf.return_values('mac')
- ssh.setdefault('mac', mac)
-
- if conf.exists('port'):
- port = conf.return_value('port')
- ssh.setdefault('port', port)
-
- return ssh
-
-def verify(ssh):
- if ssh is None:
- return None
-
- if 'loglevel' in ssh.keys():
- allowed_loglevel = 'QUIET, FATAL, ERROR, INFO, VERBOSE'
- if not ssh['loglevel'] in allowed_loglevel:
- raise ConfigError('loglevel must be one of "{0}"\n'.format(allowed_loglevel))
-
- return None
-
-def generate(ssh):
- if ssh is None:
- return None
-
- tmpl = jinja2.Template(config_tmpl)
- config_text = tmpl.render(ssh)
- with open(config_file, 'w') as f:
- f.write(config_text)
- return None
-
-def apply(ssh):
- if ssh is not None and 'port' in ssh.keys():
- os.system("sudo systemctl restart ssh")
- else:
- # SSH access is removed in the commit
- os.system("sudo systemctl stop ssh")
- os.unlink(config_file)
-
- return None
-
-if __name__ == '__main__':
- try:
- c = get_config()
- verify(c)
- generate(c)
- apply(c)
- except ConfigError as e:
- print(e)
- sys.exit(1)