From b7921163b29824d32f1a3254af7c4125e704d511 Mon Sep 17 00:00:00 2001 From: Gabor Gombas Date: Wed, 17 Oct 2018 18:01:03 +0200 Subject: [PATCH] ncm-metaconfig/ssh: Implement SSH daemon configuration The main driver was getting support for "Match ..." blocks, which would have been more dificult to add to ncm-ssh. --- .../src/main/metaconfig/ssh/pan/schema.pan | 109 ++++++++++++++++++ .../main/metaconfig/ssh/pan/server_config.pan | 8 ++ .../src/main/metaconfig/ssh/server.tt | 7 ++ .../src/main/metaconfig/ssh/server_attrs.tt | 44 +++++++ .../ssh/tests/profiles/server_allopts.pan | 96 +++++++++++++++ .../ssh/tests/profiles/server_config.pan | 17 +++ .../ssh/tests/regexps/server_allopts/base | 99 ++++++++++++++++ .../ssh/tests/regexps/server_config/base | 9 ++ 8 files changed, 389 insertions(+) create mode 100644 ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan create mode 100644 ncm-metaconfig/src/main/metaconfig/ssh/server.tt create mode 100644 ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt create mode 100644 ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_allopts.pan create mode 100644 ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan create mode 100644 ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base create mode 100644 ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan index 46d3049c37..f6d1792732 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan @@ -140,3 +140,112 @@ type ssh_config_file = { 'main' ? ssh_config_opts }; +# Not all options may appear inside a Match block +type sshd_config_match_opts = { + 'AcceptEnv' ? string[] + 'AllowAgentForwarding' ? boolean + 'AllowGroups' ? string[] + 'AllowStreamLocalForwarding' ? string with match (SELF, "^(yes|all|no|local|remote)$") + 'AllowTcpForwarding' ? string with match (SELF, "^(yes|all|no|local|remote)$") + 'AllowUsers' ? string[] + 'AuthenticationMethods' ? string[] # Don't go into details - it does not seem to worth the effort + 'AuthorizedKeysCommand' ? absolute_file_path + 'AuthorizedKeysCommandUser' ? string + 'AuthorizedKeysFile' ? string[] + 'AuthorizedPrincipalsCommand' ? absolute_file_path + 'AuthorizedPrincipalsCommandUser' ? string + 'AuthorizedPrincipalsFile' ? string[] + 'Banner' ? string + 'ChrootDirectory' ? string + 'ClientAliveCountMax' ? long(1..) + 'ClientAliveInterval' ? long(0..) + 'DenyGroups' ? string[] + 'DenyUsers' ? string[] + 'ForceCommand' ? string + 'GatewayPorts' ? string with match (SELF, "^(yes|no|clientspecified)$") + 'GSSAPIAuthentication' ? boolean + 'HostbasedAcceptedKeyTypes' ? temp_ssh_hostkeyalgorithms[] + 'HostbasedAuthentication' ? boolean + 'HostbasedUsesNameFromPacketOnly' ? boolean + 'IPQoS' ? string[] with length(SELF) == 1 || length(SELF) == 2 + 'KbdInteractiveAuthentication' ? boolean + 'KerberosAuthentication' ? boolean + 'LogLevel' ? string with match (SELF, "^(QUIET|FATAL|ERROR|INFO|VERBOSE|DEBUG[123]?)$") + 'MaxAuthTries' ? long(1..) + 'MaxSessions' ? long(0..) + 'PasswordAuthentication' ? boolean + 'PermitEmptyPasswords' ? boolean + 'PermitListen' ? string[] # type_hostport would not allow wildcards + 'PermitOpen' ? string[] # type_hostport would not allow wildcards + 'PermitRootLogin' ? string with match (SELF, "^(yes|prohibit-password|without-password|forced-commands-only|no)$") + 'PermitTTY' ? boolean + 'PermitTunnel' ? string with match (SELF, "^(yes|point-to-point|ethernet|no)$") + 'PermitUserRC' ? boolean + 'PubkeyAcceptedKeyTypes' ? temp_ssh_hostkeyalgorithms[] + 'PubkeyAuthentication' ? boolean + 'RekeyLimit' ? string[] with length(SELF) == 1 || length(SELF) == 2 + 'RSAAuthentication' ? boolean + 'RhostsRSAAuthentication' ? boolean + 'RevokedKeys' ? string + 'RDomain' ? string + 'SetEnv' ? string{} + 'StreamLocalBindMask' ? string with match (SELF, "^[0-7]{3,5}$") + 'StreamLocalBindUnlink' ? boolean + 'TrustedUserCAKeys' ? string + 'X11DisplayOffset' ? long(0..) + 'X11Forwarding' ? boolean + 'X11UseLocalHost' ? boolean +}; + +type sshd_config_match = { + "matches" : string[] + include sshd_config_match_opts +}; + +type sshd_config_opts = { + include sshd_config_match_opts + 'AddressFamily' ? string with match (SELF, "^(any|inet|inet6)$") + 'ChallengeResponseAuthentication' ? boolean + 'Ciphers' ? temp_ssh_ciphers[] + 'Compression' ? boolean + 'DisableForwarding' ? boolean + 'ExposeAuthInfo' ? boolean + 'FingerprintHash' ? string with match (SELF, "^(md5|sha256)$") + 'GSSAPICleanupCredentials' ? boolean + 'GSSAPIKeyExchange' ? boolean + 'GSSAPIStrictAcceptorCheck' ? boolean + 'GSSAPIStoreCredentialsOnRekey' ? boolean + 'HostCertificate' ? string + 'HostKey' ? string[] + 'HostKeyAgent' ? string + 'HostKeyAlgorithms' ? temp_ssh_hostkeyalgorithms[] + 'IgnoreRhosts' ? boolean + 'IgnoreUserKnownHosts' ? boolean + 'KerberosGetAFSToken' ? boolean + 'KerberosOrLocalPasswd' ? boolean + 'KerberosTicketCleanup' ? boolean + 'KexAlgorithms' ? temp_ssh_kexalgorithms[] + 'ListenAddress' ? type_hostport[] + 'LoginGraceTime' ? long(0..) + 'MACs' ? temp_ssh_MACs[] + 'Match' ? sshd_config_match[] + 'MaxStartups' ? string with match (SELF, "^[0-9]+(:[0-9]+:[0-9]+)?$") + 'PermitUserEnvironment' ? boolean + 'PidFile' ? absolute_file_path + 'Port' ? long(1..)[] + 'PrintLastLog' ? boolean + 'PrintMotd' ? boolean + 'StrictModes' ? boolean + 'Subsystem' ? string{} + 'SyslogFacility' ? string with match (SELF, "^(DAEMON|USER|AUTH|LOCAL[0-7])$") + 'TCPKeepAlive' ? boolean + 'UseDNS' ? boolean + 'UsePAM' ? boolean + 'VersionAddendum' ? string + 'XAuthLocation' ? absolute_file_path +}; + +type sshd_config_file = { + 'Match' ? sshd_config_match[] + 'main' ? sshd_config_opts +}; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan new file mode 100644 index 0000000000..2f8250e567 --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan @@ -0,0 +1,8 @@ +unique template metaconfig/ssh/server_config; + +include 'metaconfig/ssh/schema'; + +bind "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents" = sshd_config_file; + +prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}"; +"module" = "ssh/server"; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/server.tt b/ncm-metaconfig/src/main/metaconfig/ssh/server.tt new file mode 100644 index 0000000000..b5b6de5124 --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/server.tt @@ -0,0 +1,7 @@ + +[% INCLUDE metaconfig/ssh/server_attrs.tt data=main -%] + +[% FOREACH mt IN Match -%] +Match [% mt.matches.join(' ') %] +[% INCLUDE metaconfig/ssh/server_attrs.tt data=mt FILTER indent %] +[% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt new file mode 100644 index 0000000000..d5288421a8 --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt @@ -0,0 +1,44 @@ +[% spacelist = ['AcceptEnv', 'AllowGroups', 'AllowUsers', 'AuthenticationMethods', 'AuthorizedKeysFile', 'AuthorizedPrincipalsFile', + 'DenyGroups', 'DenyUsers', + 'IPQoS', + 'PermitListen', 'PermitOpen', + 'RekeyLimit' ] -%] +[% commalist = ['Ciphers', 'HostKeyAlgorithms', 'HostbasedAcceptedKeyTypes', 'KexAlgorithms', 'MACs', 'PubkeyAcceptedKeyTypes' ] -%] +[% multilinelist = ['HostKey', 'ListenAddress', 'Port' ] -%] +[% booleans = ['AllowAgentForwarding', + 'ChallengeResponseAuthentication', 'Compression', + 'ExposeAuthInfo', + 'GSSAPIAuthentication', 'GSSAPICleanupCredentials', 'GSSAPIKeyExchange', 'GSSAPIStrictAcceptorCheck', 'GSSAPIStoreCredentialsOnRekey', + 'HostbasedAuthentication', 'HostbasedUsesNameFromPacketOnly', + 'IgnoreRhosts', 'IgnoreUserKnownHosts', + 'KbdInteractiveAuthentication', 'KerberosAuthentication', 'KerberosGetAFSToken', 'KerberosOrLocalPasswd', 'KerberosTicketCleanup', + 'PasswordAuthentication', 'PermitEmptyPasswords', 'PermitRootLogin', 'PermitTTY', 'PermitTunnel', 'PermitUserEnvironment', + 'PermitUserRC', 'PrintLastLog', 'PrintMotd', 'PubkeyAuthentication', + 'StreamLocalBindUnlink', 'StrictModes', + 'TCPKeepAlive', 'UseDNS', 'UsePAM', 'X11Forwarding', 'X11UseLocalhost'] -%] + +[%- FOREACH pair IN data.pairs -%] +[% NEXT IF pair.key == 'matches' -%] +[% SWITCH pair.key -%] +[% CASE booleans -%] +[% pair.key %] [% pair.value ? 'Yes' : 'No' %] +[% CASE spacelist -%] +[% pair.key %] [% pair.value.join(' ') %] +[% CASE commalist -%] +[% pair.key %] [% pair.value.join(',') %] +[% CASE multilinelist -%] +[% FOREACH line IN pair.value -%] +[% pair.key %] [% line %] +[% END -%] +[% CASE 'Subsystem' -%] +[% FOREACH item IN pair.value.pairs -%] +Subsystem [% item.key %] [% item.value %] +[% END -%] +[% CASE 'SetEnv' -%] +[% FOREACH item IN pair.value.pairs -%] +SetEnv [% item.key %]="[% item.value %]" +[% END -%] +[% CASE -%] +[% pair.key %] [% pair.value %] +[% END -%] +[% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_allopts.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_allopts.pan new file mode 100644 index 0000000000..d8d2f5d3cc --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_allopts.pan @@ -0,0 +1,96 @@ +object template server_allopts; + +include 'metaconfig/ssh/server_config'; + +prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents"; + +"main/AcceptEnv" = list("LC_CTYPE", "LANG", "TERM"); +"main/AddressFamily" = "any"; +"main/AllowAgentForwarding" = false; +"main/AllowGroups" = list("wheel"); +"main/AllowStreamLocalForwarding" = "local"; +"main/AllowTcpForwarding" = "local"; +"main/AllowUsers" = list("quattor"); +"main/AuthenticationMethods" = list("any"); +"main/AuthorizedKeysCommand" = "/usr/sbin/key-lookup"; +"main/AuthorizedKeysCommandUser" = "keyuser"; +"main/AuthorizedKeysFile" = list("/etc/ssh/authorized_keys", ".ssh/authorized_keys"); +"main/AuthorizedPrincipalsCommand" = "/usr/sbin/principal-lookup"; +"main/AuthorizedPrincipalsCommandUser" = "princuser"; +"main/AuthorizedPrincipalsFile" = list("/etc/ssh/x509_users", ".ssh/x509_users"); +"main/Banner" = "Configured by Quattor"; +"main/ChallengeResponseAuthentication" = false; +"main/ChrootDirectory" = "/srv/ssh"; +"main/Ciphers" = list("chacha20-poly1305@openssh.com", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc"); +"main/ClientAliveCountMax" = 3; +"main/ClientAliveInterval" = 30; +"main/Compression" = false; +"main/DenyGroups" = list("adm"); +"main/DenyUsers" = list("root"); +"main/DisableForwarding" = false; +"main/ExposeAuthInfo" = false; +"main/FingerprintHash" = "sha256"; +"main/ForceCommand" = "cat /etc/motd"; +"main/GatewayPorts" = "clientspecified"; +"main/GSSAPIAuthentication" = true; +"main/GSSAPICleanupCredentials" = true; +"main/GSSAPIKeyExchange" = true; +"main/GSSAPIStrictAcceptorCheck" = true; +"main/GSSAPIStoreCredentialsOnRekey" = true; +"main/HostbasedAcceptedKeyTypes" = list("-ssh-rsa"); +"main/HostbasedAuthentication" = true; +"main/HostbasedUsesNameFromPacketOnly" = false; +"main/HostCertificate" = "/etc/ssh/ssh_host_cert.pem"; +"main/HostKey" = list("/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_ed25519_key"); +"main/HostKeyAgent" = "/run/ssh/key_agent.socket"; +"main/HostKeyAlgorithms" = list("ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521"); +"main/IPQoS" = list("lowdelay", "throughput"); +"main/IgnoreRhosts" = true; +"main/IgnoreUserKnownHosts" = true; +"main/KbdInteractiveAuthentication" = true; +"main/KerberosAuthentication" = false; +"main/KerberosGetAFSToken" = false; +"main/KerberosOrLocalPasswd" = false; +"main/KerberosTicketCleanup" = true; +"main/KexAlgorithms" = list("ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521"); +"main/ListenAddress" = list("127.0.0.1:22", "192.168.0.1:22", "192.168.0.1:2200"); +"main/LogLevel" = "DEBUG3"; +"main/LoginGraceTime" = 60; +"main/MACs" = list("hmac-sha1-96-etm@openssh.com", "hmac-md5-96-etm@openssh.com"); +"main/MaxAuthTries" = 3; +"main/MaxSessions" = 10; +"main/MaxStartups" = "10:30:100"; +"main/PasswordAuthentication" = false; +"main/PermitEmptyPasswords" = false; +"main/PermitListen" = list("8080", "127.0.0.1:*"); +"main/PermitOpen" = list("8080", "192.168.0.1:*"); +"main/PermitRootLogin" = "prohibit-password"; +"main/PermitTTY" = true; +"main/PermitTunnel" = "point-to-point"; +"main/PermitUserEnvironment" = false; +"main/PermitUserRC" = false; +"main/PidFile" = "/run/sshd.pid"; +"main/Port" = list(22, 2200); +"main/PrintLastLog" = true; +"main/PrintMotd" = true; +"main/PubkeyAcceptedKeyTypes" = list("-ssh-rsa"); +"main/PubkeyAuthentication" = true; +"main/RDomain" = "%D"; +"main/RSAAuthentication" = false; +"main/RekeyLimit" = list("1G", "300s"); +"main/RevokedKeys" = "/etc/ssh/revoked_keys"; +"main/RhostsRSAAuthentication" = false; +"main/SetEnv" = dict("LC_ALL", "C", "TERM", "xterm"); +"main/StreamLocalBindMask" = "0177"; +"main/StreamLocalBindUnlink" = false; +"main/Subsystem" = dict("sftp", "internal-sftp"); +"main/SyslogFacility" = "AUTH"; +"main/TCPKeepAlive" = true; +"main/TrustedUserCAKeys" = "/etc/ssh/trusted_cas"; +"main/UseDNS" = true; +"main/UsePAM" = true; +"main/VersionAddendum" = "extra"; +"main/X11DisplayOffset" = 10; +"main/X11Forwarding" = true; +"main/X11UseLocalHost" = true; +"main/XAuthLocation" = "/usr/bin/xauth"; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan new file mode 100644 index 0000000000..5bf466885f --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan @@ -0,0 +1,17 @@ +object template server_config; + +include 'metaconfig/ssh/server_config'; + +prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents"; + +"main/AddressFamily" = "any"; +"main/Ciphers" = list("aes128-ctr", "aes192-ctr", "aes256-ctr"); +"main/PasswordAuthentication" = false; +"main/Subsystem" = dict("sftp", "internal-sftp"); + +'Match' = append( + dict( + "matches", list("User testuser2", "Address 192.168.0.0/16"), + "PasswordAuthentication", true, + ) + ); diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base new file mode 100644 index 0000000000..363a2985f7 --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base @@ -0,0 +1,99 @@ +Base test for all ssh server config options +--- +/etc/ssh/sshd_config +--- +^AcceptEnv\sLC_CTYPE\sLANG\sTERM$ +^AddressFamily\sany$ +^AllowAgentForwarding\sNo$ +^AllowGroups\swheel$ +^AllowStreamLocalForwarding\slocal$ +^AllowTcpForwarding\slocal$ +^AllowUsers\squattor$ +^AuthenticationMethods\sany$ +^AuthorizedKeysCommand\s/usr/sbin/key-lookup$ +^AuthorizedKeysCommandUser\skeyuser$ +^AuthorizedKeysFile\s/etc/ssh/authorized_keys\s\.ssh/authorized_keys$ +^AuthorizedPrincipalsCommand\s/usr/sbin/principal-lookup$ +^AuthorizedPrincipalsCommandUser\sprincuser$ +^AuthorizedPrincipalsFile\s/etc/ssh/x509_users\s\.ssh/x509_users$ +^Banner\sConfigured by Quattor$ +^ChallengeResponseAuthentication\sNo$ +^ChrootDirectory\s/srv/ssh$ +^Ciphers\schacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc$ +^ClientAliveCountMax\s3$ +^ClientAliveInterval\s30$ +^Compression\sNo$ +^DenyGroups\sadm$ +^DenyUsers\sroot$ +^DisableForwarding\s0$ +^ExposeAuthInfo\sNo$ +^FingerprintHash\ssha256$ +^ForceCommand\scat\s/etc/motd$ +^GSSAPIAuthentication\sYes$ +^GSSAPICleanupCredentials\sYes$ +^GSSAPIKeyExchange\sYes$ +^GSSAPIStoreCredentialsOnRekey\sYes$ +^GSSAPIStrictAcceptorCheck\sYes$ +^GatewayPorts\sclientspecified$ +^HostCertificate\s/etc/ssh/ssh_host_cert.pem$ +^HostKey\s/etc/ssh/ssh_host_rsa_key$ +^HostKey\s/etc/ssh/ssh_host_ed25519_key$ +^HostKeyAgent\s/run/ssh/key_agent\.socket$ +^HostKeyAlgorithms\secdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521$ +^HostbasedAcceptedKeyTypes\s-ssh-rsa$ +^HostbasedAuthentication\sYes$ +^HostbasedUsesNameFromPacketOnly\sNo$ +^IPQoS\slowdelay\sthroughput$ +^IgnoreRhosts\sYes$ +^IgnoreUserKnownHosts\sYes$ +^KbdInteractiveAuthentication\sYes$ +^KerberosAuthentication\sNo$ +^KerberosGetAFSToken\sNo$ +^KerberosOrLocalPasswd\sNo$ +^KerberosTicketCleanup\sYes$ +^KexAlgorithms\secdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521$ +^ListenAddress\s127\.0\.0\.1:22$ +^ListenAddress\s192\.168\.0\.1:22$ +^ListenAddress\s192\.168\.0\.1:2200$ +^LogLevel\sDEBUG3$ +^LoginGraceTime\s60$ +^MACs\shmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com$ +^MaxAuthTries\s3$ +^MaxSessions\s10$ +^MaxStartups\s10:30:100$ +^PasswordAuthentication\sNo$ +^PermitEmptyPasswords\sNo$ +^PermitListen\s8080\s127\.0\.0\.1:\*$ +^PermitOpen\s8080\s192\.168\.0\.1:\*$ +^PermitRootLogin\sYes$ +^PermitTTY\sYes$ +^PermitTunnel\sYes$ +^PermitUserEnvironment\sNo$ +^PermitUserRC\sNo$ +^PidFile\s/run/sshd\.pid$ +^Port\s22$ +^Port\s2200$ +^PrintLastLog\sYes$ +^PrintMotd\sYes$ +^PubkeyAcceptedKeyTypes\s-ssh-rsa$ +^PubkeyAuthentication\sYes$ +^RDomain\s%D$ +^RSAAuthentication\s0$ +^RekeyLimit\s1G\s300s$ +^RevokedKeys\s/etc/ssh/revoked_keys$ +^RhostsRSAAuthentication\s0$ +^SetEnv\sLC_ALL="C"$ +^SetEnv\sTERM="xterm"$ +^StreamLocalBindMask\s0177$ +^StreamLocalBindUnlink\sNo$ +^Subsystem\ssftp\sinternal-sftp$ +^SyslogFacility\sAUTH$ +^TCPKeepAlive\sYes$ +^TrustedUserCAKeys\s/etc/ssh/trusted_cas$ +^UseDNS\sYes$ +^UsePAM\sYes$ +^VersionAddendum\sextra$ +^X11DisplayOffset\s10$ +^X11Forwarding\sYes$ +^X11UseLocalHost\s1$ +^XAuthLocation\s/usr/bin/xauth$ diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base new file mode 100644 index 0000000000..a02fa74943 --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base @@ -0,0 +1,9 @@ +Base test for ssh server config +--- +/etc/ssh/sshd_config +--- +^AddressFamily\sany$ +^Ciphers\saes128-ctr,aes192-ctr,aes256-ctr$ +^PasswordAuthentication\sNo$ +^Match\sUser\stestuser2\sAddress\s192.168.0.0/16$ +^\s{4}PasswordAuthentication\sYes$