summaryrefslogtreecommitdiff
path: root/src/conf_mode/service_ssh.py
AgeCommit message (Collapse)Author
2026-03-24T8410: Fix typos and mistakes for operational and configuration commandsViacheslav Hletenko
Fix typos and mistakes in the commands and comments No functional changes
2025-12-14ssh: T8090: add support for config test mode (sshd -t)Christian Breunig
Add a safety-net for development to check if the rendered sshd(8) configuration can be applied at all. If it can't be applied - throw an error. From https://linux.die.net/man/8/sshd: -t Test mode. Only check the validity of the configuration file and sanity of the keys. This is useful for updating sshd reliably as configuration options may change. Explicitly forcing a broken config now results in: vyos@vyos# commit [ service ssh ] Unexpected error with SSH configuration! /run/sshd/sshd_config line 21: X11DisplayOffset integer value invalid. [[service ssh]] failed Commit failed
2025-09-20ssh: T7839: fix warning on deprecated algorithms during commitChristian Breunig
The list calculation of in-use but deprecated SSH hostkey algorithms was wrong. This was implemented in commit 6deda171e ("ssh: T7839: add deprecation warning for DSA hostkey-algorithm usage"). It always returned the content of the list of deprecated algorithms, but not the list of deprecated algorithms actually - in use - by the configuration. This has been corrected. Before: DEPRECATION WARNING: Support for SSH-DSA keys is deprecated and will be removed in VyOS 1.6. Please update affected keys to a supported algorithm (e.g., RSA, ECDSA or ED25519) to avoid authentication failures after the upgrade. The following hostkey-algorithms are in use: ssh-dss, ssh-dss-cert-v01@openssh.com After: DEPRECATION WARNING: Support for SSH-DSA keys is deprecated and will be removed in VyOS 1.6. Please update affected keys to a supported algorithm (e.g., RSA, ECDSA or ED25519) to avoid authentication failures after the upgrade. The following hostkey-algorithms are in use: ssh-dss The generation of the MOTD was not affected!
2025-09-17ssh: T7839: add deprecation warning for DSA hostkey-algorithm usageChristian Breunig
OpenSSH in Debian Trixie has removed support for ssh-dss (DSA) keys, which will prevent users with such keys from logging in after upgrade. To avoid lockouts, add a loud deprecation warning when users log in using a DSA key. This warning advises affected users to replace their keys with a supported algorithm (e.g., ed25519 or RSA) before the upgrade. Deprecation warning will be displayed during "commit" but also as MOTD to inform on this issue during every login. DEPRECATION WARNING: Support for SSH-DSA keys is deprecated and will be removed in VyOS 1.6. Please update affected keys to a supported algorithm (e.g., RSA, ECDSA or ED25519) to avoid authentication failures after the upgrade. The following hostkey-algorithms are in use: ssh-dss, ssh-dss-cert-v01@openssh.com
2025-06-28T7591: remove copyright years from source filesChristian Breunig
The legal team says years are not necessary so we can go ahead with it, since it will simplify backporting. Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \ 's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g' In addition we will error-out during "make" if someone re-adds a legacy copyright notice
2025-05-29ssh: T6013: rename trusted-user-ca-key -> truster-user-caChristian Breunig
The current implementation for SSH CA based authentication uses "set service ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509 certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys. This commit changes the bahavior to support antive certificates generated using ssh-keygen and loaded to our PKI tree. As the previous implementation did not work at all, no migrations cript is used.
2025-05-29ssh: T6013: move principal name to "system login user <name> authentication"Christian Breunig
We already support using per-user SSH public keys for system authentication. Instead of introducing a new CLI path to configure per-user principal names, we should continue using the existing CLI location and store the principal names alongside the corresponding SSH public keys. set system login user <name> principal <principal> The certificate used for SSH authentication contains an embedded principal name, which is defined under this CLI node. Only users with matching principal names are permitted to log in.
2025-05-29ssh: T6013: support SSH AuthorizedPrincipalsFile in use with trusted-user-ca-keyTakeru Hayasaka
Thisc omplements commit e7cab89f9f81 ("T6013: Add support for configuring TrustedUserCAKeys in SSH service with local and remote CA keys"). It introduces a new CLI node per user to support defining the authorized principals used by any given PKI certificate. It is now possible to associate SSH login users with their respective principals. Authored-by: Takeru Hayasaka <hayatake396@gmail.com>
2024-12-23T6013: Remove trusted_user_ca_key when the configuration does not existTakeru Hayasaka
Co-authored-by: Simon <965089+sarthurdev@users.noreply.github.com>
2024-12-23T6013: Remove unused variables to make it lint-friendlyTakeru Hayasaka
2024-12-23T6013: Add support for configuring TrustedUserCAKeys in SSH service with ↵Takeru Hayasaka
local and remote CA keys
2024-04-01ssh: T6192: allow binding to multiple VRF instancesChristian Breunig
Currently VyOS only supports binding a service to one individual VRF. It might become handy to have the services (initially it will be VRF, NTP and SNMP) be bound to multiple VRFs. Changed VRF from leafNode to multi leafNode with defaultValue: default - which is the name of the default VRF.
2023-12-31T5474: establish common file name pattern for XML conf mode commandsChristian Breunig
We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in