From 87b45f69913b7687433fb214fc97064fccd7214b Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 4 Jan 2023 19:37:30 +0100 Subject: ssh: T2651: use Debian style include directve for ssh_config.d Commit 846e306700a ("ssh: T2651: add cli options for source address") added support for a basic SSH client option, but it grabbed the entire /etc/ssh/ssh_config file without the ability to make custom user adjustments via the /etc/ssh/ssh_config.d/ folder. This commit places the VyOS SSH options under /etc/ssh/ssh_config.d/ leaving the common override system alive. (cherry picked from commit 7763de6c4b93d3372ab3f4572d9fa6b7536102b3) --- src/conf_mode/system-option.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/conf_mode/system-option.py b/src/conf_mode/system-option.py index ddb91aeaf..2949bcfa9 100755 --- a/src/conf_mode/system-option.py +++ b/src/conf_mode/system-option.py @@ -31,7 +31,7 @@ from vyos import airbag airbag.enable() curlrc_config = r'/etc/curlrc' -ssh_config = r'/etc/ssh/ssh_config' +ssh_config = r'/etc/ssh/ssh_config.d/91-vyos-ssh-client-options.conf' systemd_action_file = '/lib/systemd/system/ctrl-alt-del.target' def get_config(config=None): -- cgit v1.2.3 From c0745d64024a498377dd02f2fc1ef0366473e97c Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 4 Jan 2023 19:58:59 +0100 Subject: ssh: T4922: add source-interface support ssh-client (cherry picked from commit 87cc636bd2baf576a2a5ece7a4f8318eb4f69c2e) --- data/templates/system/ssh_config.tmpl | 7 ++++++- interface-definitions/system-option.xml.in | 1 + src/conf_mode/system-option.py | 5 ++++- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/data/templates/system/ssh_config.tmpl b/data/templates/system/ssh_config.tmpl index abc03f069..94dac9ed3 100644 --- a/data/templates/system/ssh_config.tmpl +++ b/data/templates/system/ssh_config.tmpl @@ -1,3 +1,8 @@ -{% if ssh_client is defined and ssh_client.source_address is defined and ssh_client.source_address is not none %} +{% if ssh_client is defined %} +{% if ssh_client.source_address is defined and ssh_client.source_address is not none %} BindAddress {{ ssh_client.source_address }} +{% endif %} +{% if ssh_client.source_interface is defined and ssh_client.source_address is not none %} +BindInterface {{ ssh_client.source_interface }} +{% endif %} {% endif %} diff --git a/interface-definitions/system-option.xml.in b/interface-definitions/system-option.xml.in index 5f80e064d..b47dde0a0 100644 --- a/interface-definitions/system-option.xml.in +++ b/interface-definitions/system-option.xml.in @@ -105,6 +105,7 @@ #include + #include diff --git a/src/conf_mode/system-option.py b/src/conf_mode/system-option.py index 2949bcfa9..fcdaa9676 100755 --- a/src/conf_mode/system-option.py +++ b/src/conf_mode/system-option.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2020 VyOS maintainers and contributors +# Copyright (C) 2019-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -22,6 +22,7 @@ from time import sleep from vyos.config import Config from vyos.configdict import dict_merge +from vyos.configverify import verify_source_interface from vyos.template import render from vyos.util import cmd from vyos.validate import is_addr_assigned @@ -69,6 +70,8 @@ def verify(options): if 'source_address' in config: if not is_addr_assigned(config['source_address']): raise ConfigError('No interface with give address specified!') + if 'source_interface' in config: + verify_source_interface(config) return None -- cgit v1.2.3 From 9ebf4db1296a0df870a47a32e3f0a66f8da16266 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 4 Jan 2023 20:12:47 +0100 Subject: ssh: T4922: extend verify() when both source-address and source-interface is used We need to ensure that source-address is assigned on source-interface before applying the configuration, else SSH client will have a hard time talking to someone. (cherry picked from commit d1ef90e1eb51334b99ad716969e17c7f257e1a39) --- src/conf_mode/system-option.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/conf_mode/system-option.py b/src/conf_mode/system-option.py index fcdaa9676..a112c2b6f 100755 --- a/src/conf_mode/system-option.py +++ b/src/conf_mode/system-option.py @@ -26,6 +26,7 @@ from vyos.configverify import verify_source_interface from vyos.template import render from vyos.util import cmd from vyos.validate import is_addr_assigned +from vyos.validate import is_intf_addr_assigned from vyos.xml import defaults from vyos import ConfigError from vyos import airbag @@ -68,10 +69,17 @@ def verify(options): if 'ssh_client' in options: config = options['ssh_client'] if 'source_address' in config: + address = config['source_address'] if not is_addr_assigned(config['source_address']): - raise ConfigError('No interface with give address specified!') + raise ConfigError('No interface with address "{address}" configured!') + if 'source_interface' in config: verify_source_interface(config) + if 'source_address' in config: + address = config['source_address'] + interface = config['source_interface'] + if not is_intf_addr_assigned(interface, address): + raise ConfigError(f'Address "{address}" not assigned on interface "{interface}"!') return None -- cgit v1.2.3