summaryrefslogtreecommitdiff
path: root/src/conf_mode/ssh.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode/ssh.py')
-rwxr-xr-xsrc/conf_mode/ssh.py67
1 files changed, 47 insertions, 20 deletions
diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py
index f1ac19473..2a5cba99a 100755
--- a/src/conf_mode/ssh.py
+++ b/src/conf_mode/ssh.py
@@ -67,82 +67,103 @@ UseDNS {{ host_validation }}
# Specifies the port number that sshd listens on. The default is 22.
# Multiple options of this type are permitted.
+{% if mport|length != 0 %}
+{% for p in mport %}
+Port {{ p }}
+{% endfor %}
+{% else %}
Port {{ port }}
+{% endif %}
# Gives the verbosity level that is used when logging messages from sshd
LogLevel {{ log_level }}
# Specifies whether root can log in using ssh
-PermitRootLogin {{ allow_root }}
+PermitRootLogin no
# Specifies whether password authentication is allowed
PasswordAuthentication {{ password_authentication }}
-{% if listen_on -%}
+{% if listen_on %}
# Specifies the local addresses sshd should listen on
-{% for a in listen_on -%}
+{% for a in listen_on %}
ListenAddress {{ a }}
-{% endfor -%}
+{% endfor %}
+{{ "\n" }}
{% endif %}
-{% if ciphers -%}
+{%- if ciphers %}
# Specifies the ciphers allowed. Multiple ciphers must be comma-separated.
#
# NOTE: As of now, there is no 'multi' node for 'ciphers', thus we have only one :/
Ciphers {{ ciphers | join(",") }}
+{{ "\n" }}
{% endif %}
-{% if mac -%}
+{%- if mac %}
# Specifies the available MAC (message authentication code) algorithms. The MAC
# algorithm is used for data integrity protection. Multiple algorithms must be
# comma-separated.
#
# NOTE: As of now, there is no 'multi' node for 'mac', thus we have only one :/
MACs {{ mac | join(",") }}
+{{ "\n" }}
{% endif %}
-{% if key_exchange -%}
+{%- if key_exchange %}
# Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must
# be comma-separated.
#
# NOTE: As of now, there is no 'multi' node for 'key-exchange', thus we have only one :/
KexAlgorithms {{ key_exchange | join(",") }}
+{{ "\n" }}
{% endif %}
-{% if allow_users -%}
+{%- if allow_users %}
# This keyword can be followed by a list of user name patterns, separated by spaces.
# If specified, login is allowed only for user names that match one of the patterns.
# Only user names are valid, a numerical user ID is not recognized.
AllowUsers {{ allow_users | join(" ") }}
+{{ "\n" }}
{% endif %}
-{% if allow_groups -%}
+{%- if allow_groups %}
# This keyword can be followed by a list of group name patterns, separated by spaces.
# If specified, login is allowed only for users whose primary group or supplementary
# group list matches one of the patterns. Only group names are valid, a numerical group
# ID is not recognized.
AllowGroups {{ allow_groups | join(" ") }}
+{{ "\n" }}
{% endif %}
-{% if deny_users -%}
+{%- if deny_users %}
# This keyword can be followed by a list of user name patterns, separated by spaces.
# Login is disallowed for user names that match one of the patterns. Only user names
# are valid, a numerical user ID is not recognized.
DenyUsers {{ deny_users | join(" ") }}
+{{ "\n" }}
{% endif %}
-{% if deny_groups -%}
+{%- if deny_groups %}
# This keyword can be followed by a list of group name patterns, separated by spaces.
# Login is disallowed for users whose primary group or supplementary group list matches
# one of the patterns. Only group names are valid, a numerical group ID is not recognized.
DenyGroups {{ deny_groups | join(" ") }}
+{{ "\n" }}
+{% endif %}
+
+{%- if client_keepalive %}
+# Sets a timeout interval in seconds after which if no data has been received from the client,
+# sshd will send a message through the encrypted channel to request a response from the client.
+# The default is 0, indicating that these messages will not be sent to the client.
+# This option applies to protocol version 2 only.
+ClientAliveInterval {{ client_keepalive }}
{% endif %}
"""
default_config_data = {
'port' : '22',
'log_level': 'INFO',
- 'allow_root': 'no',
'password_authentication': 'yes',
'host_validation': 'yes'
}
@@ -171,9 +192,6 @@ def get_config():
deny_groups = conf.return_values('access-control deny group')
ssh['deny_groups'] = deny_groups
- if conf.exists('allow-root'):
- ssh['allow-root'] = 'yes'
-
if conf.exists('ciphers'):
ciphers = conf.return_values('ciphers')
ssh['ciphers'] = ciphers
@@ -208,8 +226,17 @@ def get_config():
ssh['mac'] = mac
if conf.exists('port'):
- port = conf.return_value('port')
- ssh['port'] = port
+ ports = conf.return_values('port')
+ mport = []
+
+ for prt in ports:
+ mport.append(prt)
+
+ ssh['mport'] = mport
+
+ if conf.exists('client-keepalive-interval'):
+ client_keepalive = conf.return_value('client-keepalive-interval')
+ ssh['client_keepalive'] = client_keepalive
return ssh
@@ -228,7 +255,7 @@ def generate(ssh):
if ssh is None:
return None
- tmpl = jinja2.Template(config_tmpl)
+ tmpl = jinja2.Template(config_tmpl, trim_blocks=True)
config_text = tmpl.render(ssh)
with open(config_file, 'w') as f:
f.write(config_text)
@@ -236,10 +263,10 @@ def generate(ssh):
def apply(ssh):
if ssh is not None and 'port' in ssh.keys():
- os.system("sudo systemctl restart ssh")
+ os.system("sudo systemctl restart ssh.service")
else:
# SSH access is removed in the commit
- os.system("sudo systemctl stop ssh")
+ os.system("sudo systemctl stop ssh.service")
os.unlink(config_file)
return None