From c9eaafd9f808aba8d29be73054e11d37577e539a Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Sat, 30 Dec 2023 23:25:20 +0100
Subject: T5474: establish common file name pattern for XML conf mode commands

We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.

Example:
set interfaces ethernet -> interfaces_ethernet.xml.in
set interfaces bond -> interfaces_bond.xml.in
set service dhcp-server -> service_dhcp-server-xml.in

(cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465)
---
 interface-definitions/service_ssh.xml.in | 270 +++++++++++++++++++++++++++++++
 1 file changed, 270 insertions(+)
 create mode 100644 interface-definitions/service_ssh.xml.in

(limited to 'interface-definitions/service_ssh.xml.in')

diff --git a/interface-definitions/service_ssh.xml.in b/interface-definitions/service_ssh.xml.in
new file mode 100644
index 000000000..5c893bd35
--- /dev/null
+++ b/interface-definitions/service_ssh.xml.in
@@ -0,0 +1,270 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="service">
+    <properties>
+      <help>System services</help>
+    </properties>
+    <children>
+      <node name="ssh" owner="${vyos_conf_scripts_dir}/service_ssh.py">
+        <properties>
+          <help>Secure Shell (SSH)</help>
+          <priority>1000</priority>
+        </properties>
+        <children>
+          <node name="access-control">
+            <properties>
+              <help>SSH user/group access controls</help>
+            </properties>
+            <children>
+              <node name="allow">
+                <properties>
+                  <help>Allow user/group SSH access</help>
+                </properties>
+                <children>
+                  #include <include/ssh-group.xml.i>
+                  #include <include/ssh-user.xml.i>
+                </children>
+              </node>
+              <node name="deny">
+                <properties>
+                  <help>Deny user/group SSH access</help>
+                </properties>
+                <children>
+                  #include <include/ssh-group.xml.i>
+                  #include <include/ssh-user.xml.i>
+                </children>
+              </node>
+            </children>
+          </node>
+          <leafNode name="ciphers">
+            <properties>
+              <help>Allowed ciphers</help>
+              <completionHelp>
+                <!-- generated by ssh -Q cipher | tr '\n' ' ' as this will not change dynamically  -->
+                <list>3des-cbc aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com</list>
+              </completionHelp>
+                <constraint>
+                  <regex>(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.se|aes128-ctr|aes192-ctr|aes256-ctr|aes128-gcm@openssh.com|aes256-gcm@openssh.com|chacha20-poly1305@openssh.com)</regex>
+                </constraint>
+              <multi/>
+            </properties>
+          </leafNode>
+          <leafNode name="disable-host-validation">
+            <properties>
+              <help>Disable IP Address to Hostname lookup</help>
+              <valueless/>
+            </properties>
+          </leafNode>
+          <leafNode name="disable-password-authentication">
+            <properties>
+              <help>Disable password-based authentication</help>
+              <valueless/>
+            </properties>
+          </leafNode>
+          <node name="dynamic-protection">
+            <properties>
+              <help>Allow dynamic protection</help>
+            </properties>
+            <children>
+              <leafNode name="block-time">
+                <properties>
+                  <help>Block source IP in seconds. Subsequent blocks increase by a factor of 1.5</help>
+                  <valueHelp>
+                    <format>u32:1-65535</format>
+                    <description>Time interval in seconds for blocking</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 1-65535"/>
+                  </constraint>
+                </properties>
+                <defaultValue>120</defaultValue>
+              </leafNode>
+              <leafNode name="detect-time">
+                <properties>
+                  <help>Remember source IP in seconds before reset their score</help>
+                  <valueHelp>
+                    <format>u32:1-65535</format>
+                    <description>Time interval in seconds</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 1-65535"/>
+                  </constraint>
+                </properties>
+                <defaultValue>1800</defaultValue>
+              </leafNode>
+              <leafNode name="threshold">
+                <properties>
+                  <help>Block source IP when their cumulative attack score exceeds threshold</help>
+                  <valueHelp>
+                    <format>u32:1-65535</format>
+                    <description>Threshold score</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 1-65535"/>
+                  </constraint>
+                </properties>
+                <defaultValue>30</defaultValue>
+              </leafNode>
+              <leafNode name="allow-from">
+                <properties>
+                  <help>Always allow inbound connections from these systems</help>
+                  <valueHelp>
+                    <format>ipv4</format>
+                    <description>Address to match against</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv4net</format>
+                    <description>IPv4 address and prefix length</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv6</format>
+                    <description>IPv6 address to match against</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv6net</format>
+                    <description>IPv6 address and prefix length</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="ip-address"/>
+                    <validator name="ip-prefix"/>
+                  </constraint>
+                  <multi/>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
+          <leafNode name="hostkey-algorithm">
+            <properties>
+              <help>Allowed host key signature algorithms</help>
+              <completionHelp>
+                <!-- generated by ssh -Q HostKeyAlgorithms | tr '\n' ' ' as this will not change dynamically  -->
+                <list>ssh-ed25519 ssh-ed25519-cert-v01@openssh.com sk-ssh-ed25519@openssh.com sk-ssh-ed25519-cert-v01@openssh.com ssh-rsa rsa-sha2-256 rsa-sha2-512 ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 sk-ecdsa-sha2-nistp256@openssh.com webauthn-sk-ecdsa-sha2-nistp256@openssh.com ssh-rsa-cert-v01@openssh.com rsa-sha2-256-cert-v01@openssh.com rsa-sha2-512-cert-v01@openssh.com ssh-dss-cert-v01@openssh.com ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com sk-ecdsa-sha2-nistp256-cert-v01@openssh.com</list>
+              </completionHelp>
+              <multi/>
+              <constraint>
+                <regex>(ssh-ed25519|ssh-ed25519-cert-v01@openssh.com|sk-ssh-ed25519@openssh.com|sk-ssh-ed25519-cert-v01@openssh.com|ssh-rsa|rsa-sha2-256|rsa-sha2-512|ssh-dss|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|sk-ecdsa-sha2-nistp256@openssh.com|webauthn-sk-ecdsa-sha2-nistp256@openssh.com|ssh-rsa-cert-v01@openssh.com|rsa-sha2-256-cert-v01@openssh.com|rsa-sha2-512-cert-v01@openssh.com|ssh-dss-cert-v01@openssh.com|ecdsa-sha2-nistp256-cert-v01@openssh.com|ecdsa-sha2-nistp384-cert-v01@openssh.com|ecdsa-sha2-nistp521-cert-v01@openssh.com|sk-ecdsa-sha2-nistp256-cert-v01@openssh.com)</regex>
+              </constraint>
+            </properties>
+          </leafNode>
+          <leafNode name="key-exchange">
+            <properties>
+              <help>Allowed key exchange (KEX) algorithms</help>
+              <completionHelp>
+                <!-- generated by ssh -Q kex | tr '\n' ' ' as this will not change dynamically  -->
+                <list>diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256 curve25519-sha256@libssh.org</list>
+              </completionHelp>
+              <multi/>
+              <constraint>
+                <regex>(diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group14-sha256|diffie-hellman-group16-sha512|diffie-hellman-group18-sha512|diffie-hellman-group-exchange-sha1|diffie-hellman-group-exchange-sha256|ecdh-sha2-nistp256|ecdh-sha2-nistp384|ecdh-sha2-nistp521|curve25519-sha256|curve25519-sha256@libssh.org)</regex>
+              </constraint>
+            </properties>
+          </leafNode>
+          #include <include/listen-address.xml.i>
+          <leafNode name="loglevel">
+            <properties>
+              <help>Log level</help>
+              <completionHelp>
+                <list>quiet fatal error info verbose</list>
+              </completionHelp>
+              <valueHelp>
+                <format>quiet</format>
+                <description>stay silent</description>
+              </valueHelp>
+              <valueHelp>
+                <format>fatal</format>
+                <description>log fatals only</description>
+              </valueHelp>
+              <valueHelp>
+                <format>error</format>
+                <description>log errors and fatals only</description>
+              </valueHelp>
+              <valueHelp>
+                <format>info</format>
+                <description>default log level</description>
+              </valueHelp>
+              <valueHelp>
+                <format>verbose</format>
+                <description>enable logging of failed login attempts</description>
+              </valueHelp>
+              <constraint>
+                <regex>(quiet|fatal|error|info|verbose)</regex>
+              </constraint>
+            </properties>
+            <defaultValue>info</defaultValue>
+          </leafNode>
+          <leafNode name="mac">
+            <properties>
+              <help>Allowed message authentication code (MAC) algorithms</help>
+              <completionHelp>
+                <!-- generated by ssh -Q mac | tr '\n' ' ' as this will not change dynamically  -->
+                <list>hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com</list>
+              </completionHelp>
+              <constraint>
+                <regex>(hmac-sha1|hmac-sha1-96|hmac-sha2-256|hmac-sha2-512|hmac-md5|hmac-md5-96|umac-64@openssh.com|umac-128@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|hmac-sha2-256-etm@openssh.com|hmac-sha2-512-etm@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com)</regex>
+              </constraint>
+              <multi/>
+            </properties>
+          </leafNode>
+          <leafNode name="port">
+            <properties>
+              <help>Port for SSH service</help>
+              <valueHelp>
+                <format>u32:1-65535</format>
+                <description>Numeric IP port</description>
+              </valueHelp>
+              <multi/>
+              <constraint>
+                <validator name="numeric" argument="--range 1-65535"/>
+              </constraint>
+            </properties>
+            <defaultValue>22</defaultValue>
+          </leafNode>
+          <node name="rekey">
+            <properties>
+              <help>SSH session rekey limit</help>
+            </properties>
+            <children>
+              <leafNode name="data">
+                <properties>
+                  <help>Threshold data in megabytes</help>
+                  <valueHelp>
+                    <format>u32:1-65535</format>
+                    <description>Megabytes</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 1-65535"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="time">
+                <properties>
+                  <help>Threshold time in minutes</help>
+                  <valueHelp>
+                    <format>u32:1-65535</format>
+                    <description>Minutes</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 1-65535"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
+          <leafNode name="client-keepalive-interval">
+            <properties>
+              <help>Enable transmission of keepalives from server to client</help>
+              <valueHelp>
+                <format>u32:1-65535</format>
+                <description>Time interval in seconds for keepalive message</description>
+              </valueHelp>
+              <constraint>
+                <validator name="numeric" argument="--range 1-65535"/>
+              </constraint>
+            </properties>
+          </leafNode>
+          #include <include/interface/vrf.xml.i>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
-- 
cgit v1.2.3