ncm-metaconfig: ssh daemon configuration support #1377
Conversation
|
@hpcugentbot test this please |
|
Looks nice, ncm-ssh does run-time validation of the generated configuration, is this now considered unnecessary? |
|
|
||
| prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents"; | ||
|
|
||
| "main/AcceptEnv" = list("LC_CTYPE", "LANG", "TERM"); |
There was a problem hiding this comment.
use relative main prefix (or add main to the absolute prefix path)
| @@ -0,0 +1,96 @@ | |||
| object template server_allopts; | |||
|
|
|||
| include 'metaconfig/ssh/server_config'; | |||
There was a problem hiding this comment.
can you add a comment on what ssh release this is based? or which OS?
There was a problem hiding this comment.
nvm, didn't see that this was a test.
| 'RekeyLimit' ] -%] | ||
| [% commalist = ['Ciphers', 'HostKeyAlgorithms', 'HostbasedAcceptedKeyTypes', 'KexAlgorithms', 'MACs', 'PubkeyAcceptedKeyTypes' ] -%] | ||
| [% multilinelist = ['HostKey', 'ListenAddress', 'Port' ] -%] | ||
| [% booleans = ['AllowAgentForwarding', |
There was a problem hiding this comment.
these are not needed if they are true pan booleans. you can test those explicitly in TT using CCM.is_boolean() (but not in a case block
There was a problem hiding this comment.
it's value.is_boolean; see default case below
| SetEnv [% item.key %]="[% item.value %]" | ||
| [% END -%] | ||
| [% CASE -%] | ||
| [% pair.key %] [% pair.value %] |
There was a problem hiding this comment.
or do the boolean check here, and maybe add a the most common type pf list and have that here as default list format (saves you another static list)
There was a problem hiding this comment.
[% pair.key %] [% -%]
[-% IF pair.value.is_boolean -%]
[%- pair.value ? 'Yes' : 'No' -%]
[%- ELSIF CCM.is_list(pair.value) -%]
[%- pair.value.join(' ') -%]
[%- ELSE -%]
[%- pair.value -%]
[-% END -%]
| @@ -0,0 +1,44 @@ | |||
| [% spacelist = ['AcceptEnv', 'AllowGroups', 'AllowUsers', 'AuthenticationMethods', 'AuthorizedKeysFile', 'AuthorizedPrincipalsFile', | |||
There was a problem hiding this comment.
this seems the longest list; use this as the default list fallback
|
@gombasg i have ideas 😄 verifying from file might be easy to do, if we patch/hack the atomic filewriter so we can test on the temp file. but it needs a patch to the atomicwriter. |
|
@gombasg if it was desirable then the cleanest (IMHO) way to implement it would be to make the existing component use textrender with these TT files. |
|
I'm bumping this - I want to look at migrating ncm-ssh to use these TT files with |
|
@jrha The question is, where to put the schema? I don't want to duplicate the definitions which are common between the client and the server. |
|
There is another issue with |
Add support for prefixing various key types with "+" or "-" to indicate relative changes to the built-in defaults.
The main driver was getting support for "Match ..." blocks, which would have been more dificult to add to ncm-ssh.
Use value.is_boolean instead.
Re-work some regular expressions to make lines shorter. Add GSSAPIKexAlgorithms and a missing CASignatureAlgorithms setting.
How about adding a "full control" option to ncm-ssh? That would allow us to keep the config validation check prior to restarting sshd? Or have I not understood the constraint with Atomic FileWriter? |
|
A "full control" option need a new implementation of the Configure method. The schema used by ncm-ssh is incompatible with the metaconfig-based schema, so either the TT files will have to be re-written from scratch, or the entire schema need to be switched based on the value of "full control". So essentially, we'd end up with two independent, incompatible components disguised as one. I'm not sure keeping the validation would worth it. If validation is really needed, then we should convince @stdweird to add a generic validation step to metaconfig. Yes, that would in fact mean running arbitrary commands as root, because we do not always run the OS-supplied sshd, so the full path of the daemon would need to be specified in the templates, it cannot be hard-coded in the component. |
|
@gombasg @ned21 @jrha @jouvin lets settle this: feel free to vote and/or campaign for a: run arbitrary commands via ncm-metaconfig whatever is decided, i can then also implement it to run validation |
|
Ask the question differently: do we want ncm-metaconfig to ever became a suitable replacement of ncm-filecopy or not? If you want to make ncm-metaconfig to replace ncm-filecopy, then you must allow running arbitrary commands, because not everything is a systemd service. E.g., if you want to disable the user list on the GDM login screen, then the command which needs to be run is “dconf update”.
Now listing all such commands in a distinct dictionary, outside of the configuration file contents, would make sense, as it would make extracting/auditing all such potential commands easier. Individual config files would then just reference a key inside that dictionary instead of spelling out the whole command. So if one uses structure templates to define the contents of a config file, then such a structure template would still be unable to cause arbitrary commands to run – it could only trigger commands which are defined elsewhere.
From: Stijn De Weirdt <notifications@github.com>
Sent: 05 June 2020 19:02
To: quattor/configuration-modules-core <configuration-modules-core@noreply.github.com>
Cc: Gombas, Gabor (Enterprise Infrastructure) <Gabor.Gombas@morganstanley.com>; Mention <mention@noreply.github.com>
Subject: Re: [quattor/configuration-modules-core] ncm-metaconfig: ssh daemon configuration support (#1377)
@gombasg<https://github.com/gombasg> @ned21<https://github.com/ned21> @jrha<https://github.com/jrha> @jouvin<https://github.com/jouvin> lets settle this: feel free to vote and/or campaign for
a: run arbitrary commands via ncm-metaconfig
b: make static list of allowed commands (or list of regexes or somesuch) for things that make sense (like the ssh config self test or others)
c: do nothing, if you want to run arbitrary code, make a service/unit and call it as part of the daemons (should fix the dependecy order to run ncm-systemd before ncm-metaconfig)
whatever is decided, i can then also implement it to run validation
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#1377 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABNYSMBPQ73NJZMJHJN43PLRVEQG3ANCNFSM4HFG7M3A>.
…________________________________
NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent required and/or permitted under applicable law, to monitor electronic communications, including telephone calls with Morgan Stanley personnel. This message is subject to the Morgan Stanley General Disclaimers available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access the links, please notify us by reply message and we will send the contents to you. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the foregoing and the Morgan Stanley General Disclaimers.
You may have certain rights regarding the information that Morgan Stanley collects about you. Please see our Privacy Pledge https://www.morganstanley.com/privacy-pledge for more information about your rights.
|
|
@gombasg thanks for voting! ;) i get that, i also struggle with that, as it's hard to try to limit the power of running arbitrary commands in a practical way. i can add a pre, verifiy and post command option. verify will receive the file content on stdin (like ncm-ssh checks the validity). in this case, i would then set a default value of the |
|
I’d not complicate it too much. A string should be fine. I did not write any substantial Perl code in a long time, but AFAIK some of the usual helper modules is smart enough to avoid going through the shell if the command line does not contain any shell metacharacters.
From: Stijn De Weirdt <notifications@github.com>
Sent: 08 June 2020 09:00
To: quattor/configuration-modules-core <configuration-modules-core@noreply.github.com>
Cc: Gombas, Gabor (Enterprise Infrastructure) <Gabor.Gombas@morganstanley.com>; Mention <mention@noreply.github.com>
Subject: Re: [quattor/configuration-modules-core] ncm-metaconfig: ssh daemon configuration support (#1377)
@gombasg<https://github.com/gombasg> thanks for voting! ;) i get that, i also struggle with that, as it's hard to try to limit the power of running arbitrary commands in a practical way.
i can add a pre, verifiy and post command option. verify will receive the file content on stdin (like ncm-ssh checks the validity).
in this case, i would then set a default value of the verify command to list("/usr/sbin/sshd", '-t', '-f', '/dev/stdin').
i would stick to the list format (no subshell), but not sure this is enough? should it be a list of lists to support running multiple commands? or just a string?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#1377 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABNYSMHWGHVCLYU4BGT5XETRVSD6PANCNFSM4HFG7M3A>.
…________________________________
NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent required and/or permitted under applicable law, to monitor electronic communications, including telephone calls with Morgan Stanley personnel. This message is subject to the Morgan Stanley General Disclaimers available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access the links, please notify us by reply message and we will send the contents to you. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the foregoing and the Morgan Stanley General Disclaimers.
You may have certain rights regarding the information that Morgan Stanley collects about you. Please see our Privacy Pledge https://www.morganstanley.com/privacy-pledge for more information about your rights.
|
| }; | ||
|
|
||
| type sshd_config_match = { | ||
| "matches" : string[] |
There was a problem hiding this comment.
@gombasg why did you choose this so freeform? why not a list of dicts wit allowed keys and arbitrary values?
|
Because implementing a “union” data type in Pan is more complex than I’d wanted to be bothered with 😊 If you want to model the real grammar, then somehow you’d need to allow “matches” to be either the “All” string literal, or a list of (choice, list) items.
So ideally, something like
“matches” : resource with ((is_string(SELF) && SELF == “All”) || is_list(SELF) && (… validate all items are 2-element lists…))
… would be nice, but the “resource” type does not allow assigning a literal.
Btw. if the above “string or list” construct would be possible somehow, that would also help with the “cannot reset the value of ExecStart” issue with ncm-systemd 😊
From: Stijn De Weirdt <notifications@github.com>
Sent: 10 June 2020 17:29
To: quattor/configuration-modules-core <configuration-modules-core@noreply.github.com>
Cc: Gombas, Gabor (Enterprise Infrastructure) <Gabor.Gombas@morganstanley.com>; Mention <mention@noreply.github.com>
Subject: Re: [quattor/configuration-modules-core] ncm-metaconfig: ssh daemon configuration support (#1377)
@stdweird commented on this pull request.
________________________________
In ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan<#1377 (comment)>:
+ 'RekeyLimit' ? string[] with length(SELF) == 1 || length(SELF) == 2
+ 'RSAAuthentication' ? boolean
+ 'RhostsRSAAuthentication' ? boolean
+ 'RevokedKeys' ? string
+ 'RDomain' ? string
+ 'SetEnv' ? string{}
+ 'StreamLocalBindMask' ? string with match (SELF, "^[0-7]{3,5}$")
+ 'StreamLocalBindUnlink' ? boolean
+ 'TrustedUserCAKeys' ? string
+ 'X11DisplayOffset' ? long(0..)
+ 'X11Forwarding' ? boolean
+ 'X11UseLocalHost' ? boolean
+};
+
+type sshd_config_match = {
+ "matches" : string[]
@gombasg<https://github.com/gombasg> why did you choose this so freeform? why not a list of dicts wit allowed keys and arbitrary values?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#1377 (review)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABNYSMDTVTWAUNKZCFQGKY3RV6RFHANCNFSM4HFG7M3A>.
…________________________________
NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent required and/or permitted under applicable law, to monitor electronic communications, including telephone calls with Morgan Stanley personnel. This message is subject to the Morgan Stanley General Disclaimers available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access the links, please notify us by reply message and we will send the contents to you. By communicating with Morgan Stanley you acknowledge that you have read, understand and consent, (where applicable), to the foregoing and the Morgan Stanley General Disclaimers.
You may have certain rights regarding the information that Morgan Stanley collects about you. Please see our Privacy Pledge https://www.morganstanley.com/privacy-pledge for more information about your rights.
|
|
@gombasg i don't see why the matches itself need to be a list. all criteria have to match, so order seems irrelavnt. and if the 'All' key is used, we can handle in TT to only print 'All' without anything else. wrt the mixed type type, if you really want that, you can |
|
Superseded by #1452 |
This allows deprecating ncm-ssh. I'd appreciate if someone cross-checked the schema with the sshd_options man page.