diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/client.tt b/ncm-metaconfig/src/main/metaconfig/ssh/client.tt index a84b09c55b..6184e62512 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/client.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/client.tt @@ -2,7 +2,7 @@ [% INCLUDE metaconfig/ssh/client_attrs.tt data=main -%] [% FOREACH mt IN Match -%] -Match [% mt.matches.join(' ') %] +[% INCLUDE metaconfig/ssh/match.tt %] [% INCLUDE metaconfig/ssh/client_attrs.tt data=mt FILTER indent %] [% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt b/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt index 6a747dbd12..675893d00e 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/client_attrs.tt @@ -1,30 +1,28 @@ -[% spacelist = ['SendEnv', 'GlobalKnownHostsFile', 'IgnoreUnknown', 'UserKnownHostsFile' ] -%] -[% commalist = ['Ciphers', 'HostbasedKeyTypes','HostKeyAlgorithms', 'KbdInteractiveDevices', 'KbdInteractiveDevices', - 'MACs', 'PreferredAuthentications', 'CanonicalDomains', 'CanonicalizePermittedCNAMEs', 'KexAlgorithms', - ] -%] -[% multilinelist = ['IdentityFile', 'RevokedHostKeys'] -%] -[% booleans = ['BatchMode', 'CanonicalizeFallbackLocal', 'ChallengeResponseAuthentication', 'CheckHostIP', - 'ClearAllForwardings', 'Compression', 'EnableSSHKeysign', 'ExitOnForwardFailure', 'ForwardAgent', 'ForwardX11', - 'ForwardX11Trusted', 'GatewayPorts', 'GSSAPIAuthentication', 'GSSAPIDelegateCredentials', 'HashKnownHosts', - 'HostbasedAuthentication', 'IdentitiesOnly', 'KbdInteractiveAuthentication', 'NoHostAuthenticationForLocalhost', - 'PasswordAuthentication', 'PermitLocalCommand', 'ProxyUseFdpass', 'PubkeyAuthentication', 'RhostsRSAAuthentication', - 'RSAAuthentication', 'StreamLocalBindUnlink', 'TCPKeepAlive', 'UsePrivilegedPort', 'VisualHostKey', - ] -%] - +[% # different forms of list handling, default for list type is comma separated + spacelist = ['SendEnv', 'GlobalKnownHostsFile', 'IgnoreUnknown', 'Include', 'UserKnownHostsFile' ]; + multilinelist = ['CertificateFile', 'IdentityFile', 'RevokedHostKeys']; + -%] [%- FOREACH pair IN data.pairs -%] -[% NEXT IF pair.key == 'hostnames' || pair.key == 'matches' -%] [% SWITCH pair.key -%] -[% CASE booleans -%] -[% pair.key %] [% pair.value ? 'Yes' : 'No' %] +[% CASE ['hostnames', 'matches'] %][% # Do nothing -%] [% CASE spacelist -%] [% pair.key %] [% pair.value.join(' ') %] -[% CASE commalist -%] -[% pair.key %] [% pair.value.join(',') %] [% CASE multilinelist -%] [% FOREACH line IN pair.value -%] [% pair.key %] [% line %] [% END -%] +[% CASE 'SetEnv' -%] +[% FOREACH item IN pair.value.pairs -%] +SetEnv [% item.key %]="[% item.value %]" +[% END -%] [% CASE -%] -[% pair.key %] [% pair.value %] -[% END -%] +[% pair.key %] [% -%] +[% IF pair.value.is_boolean -%] +[% pair.value ? 'yes' : 'no' -%] +[% ELSIF CCM.is_list(pair.value) -%] +[% pair.value.join(',') -%] +[% ELSE -%] +[% pair.value -%] +[% END -%] +[% END %] [% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/match.tt b/ncm-metaconfig/src/main/metaconfig/ssh/match.tt new file mode 100644 index 0000000000..4544e0509b --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/match.tt @@ -0,0 +1,8 @@ +Match[% -%] +[% FOREACH pair IN mt.criteria.pairs -%] +[% IF pair.value.is_boolean -%] + [% pair.key -%] +[% ELSE -%] + [% pair.key %] [% CCM.is_list(pair.value) ? pair.value.join(',') : pair.value -%] +[% END -%] +[% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan index 25b47c179c..8351b927c6 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan @@ -5,29 +5,43 @@ include 'pan/types'; # rename these types to prevent conflicts # we will remove these in an upcoming pr after template-library-core # has been updated with the new types from ncm-ssh -type temp_ssh_ciphers = string with match (SELF, "^((blowfish|3des|aes128|aes192|aes256|cast128)-cbc" + - "|(aes128|aes192|aes256)-ctr|arcfour|arcfour(128|256)|(aes128-gcm|aes256-gcm|chacha20-poly1305)@openssh.com)$"); -type temp_ssh_hostkeyalgorithms = string with match(SELF, "^(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp(256|384|521)|" + - "(ssh-rsa-cert-v01|ssh-dss-cert-v01|ecdsa-sha2-nistp256-cert-v01|ecdsa-sha2-nistp384-cert-v01|" + - "ecdsa-sha2-nistp521-cert-v01|ssh-rsa-cert-v00|ssh-dss-cert-v00|ssh-ed25519-cert-v01)@openssh.com)$"); +type temp_ssh_ciphers = string with match (SELF, "^[+-]?(" + + "(blowfish|3des|aes(128|192|256)|cast128)-cbc" + + "|aes(128|192|256)-ctr|arcfour|arcfour(128|256)" + + "|(aes(128|256)-gcm|chacha20-poly1305)@openssh.com)$"); +type temp_ssh_hostkeyalgorithms = string with match(SELF, "^[+-]?(" + + "ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp(256|384|521)|" + + "(ssh-rsa-cert-v0[01]|ssh-dss-cert-v01|ecdsa-sha2-nistp(256|384|521)-cert-v01|" + + "ssh-dss-cert-v00|ssh-ed25519-cert-v01)@openssh.com)$"); type temp_ssh_kbdinteractivedevices = string with match (SELF, "^(bsdauth|pam|skey)$"); -type temp_ssh_kexalgorithms = string with match (SELF, "^(diffie-hellman-group(1-sha1|14-sha1|-exchange-sha1|" + - "-exchange-sha256)|ecdh-sha2-nistp(256|384|521)|curve25519-sha256@libssh.org|gss-gex-sha1-|" + - "gss-group1-sha1-|gss-group14-sha1-)$"); -type temp_ssh_MACs = string with match(SELF, "^(hmac-(sha1|sha1-96|sha2-256|sha2-512|md5|md5-96|ripemd160)|" + +# Recent versions have distinct GSSAPIKexAlgorithms +type temp_ssh_gss_kexalgorithms = string with match (SELF, "^[+-]?(gss-(gex|group1|group14)-sha1-" + + "|gss-group14-sha256-|gss-group16-sha512-|gss-nistp256-sha256-|gss-curve25519-sha256-)$"); +# Older versions include GSSAPI mechanisms in KEXAlgorithms, but only the SHA1 variants +type temp_ssh_kexalgorithms = string with match (SELF, "^[+-]?(" + + "diffie-hellman-group(1-sha1|14-sha1|-exchange-sha1|-exchange-sha256)" + + "|ecdh-sha2-nistp(256|384|521)|curve25519-sha256@libssh.org" + + "|gss-(gex|group1|group14)-sha1-)$"); +type temp_ssh_MACs = string with match(SELF, "^[+-]?(hmac-(sha1|sha1-96|sha2-256|sha2-512|md5|md5-96|ripemd160)|" + "(hmac-ripemd160|umac-64|umac-128|hmac-sha1-etm|hmac-sha1-96-etm|hmac-sha2-256-etm|hmac-sha2-512-etm|" + "hmac-md5-etm|hmac-md5-96-etm|hmac-ripemd160-etm|umac-64-etm|umac-128-etm)@openssh.com)$"); +type temp_ssh_CAAlgorithms = string with match(SELF, "^[+-]?(" + + "ecdsa-sha2-nistp(256|384|521)|ssh-ed25519|rsa-sha2-(256|512)|ssh-rsa)$"); type ssh_config_opts = { + 'AddKeysToAgent' ? string with match (SELF, "^(yes|no|ask|confirm)$") 'AddressFamily' ? string with match (SELF, "^(any|inet|inet6)$") 'BatchMode' ? boolean 'BindAddress' ? string + 'BindInterface' ? string 'CanonicalDomains' ? string[] 'CanonicalizeFallbackLocal' ? boolean 'CanonicalizeHostname' ? string with match (SELF, "^(yes|no|always)$") 'CanonicalizeMaxDots' ? long(0..) 'CanonicalizePermittedCNAMEs' ? string[] + 'CASignatureAlgorithms' ? temp_ssh_CAAlgorithms[] + 'CertificateFile' ? string[] 'ChallengeResponseAuthentication' ? boolean 'CheckHostIP' ? boolean 'Cipher' ? string with match (SELF, "^(blowfish|3des|des)$") @@ -52,7 +66,13 @@ type ssh_config_opts = { 'GatewayPorts' ? boolean 'GlobalKnownHostsFile' ? string[] 'GSSAPIAuthentication' ? boolean + 'GSSAPIClientIdentity' ? string 'GSSAPIDelegateCredentials' ? boolean + 'GSSAPIKeyExchange' ? boolean + 'GSSAPIKexAlgorithms' ? temp_ssh_gss_kexalgorithms[] + 'GSSAPIRenewalForcesRekey' ? boolean + 'GSSAPIServerIdentity' ? string + 'GSSAPITrustDns' ? boolean 'HashKnownHosts' ? boolean 'HostbasedAuthentication' ? boolean 'HostbasedKeyTypes' ? string[] @@ -60,8 +80,10 @@ type ssh_config_opts = { 'HostKeyAlias' ? string 'HostName' ? string 'IdentitiesOnly' ? boolean + 'IdentityAgent' ? string 'IdentityFile' ? string[] 'IgnoreUnknown' ? string[] + 'Include' ? string[] 'IPQoS' ? string with match (SELF, "^(af[1234][123]|cs[0-7]|ef|lowdelay|throughput|reliability)$") 'KbdInteractiveAuthentication' ? boolean 'KbdInteractiveDevices' ? temp_ssh_kbdinteractivedevices[] @@ -79,9 +101,12 @@ type ssh_config_opts = { 'PreferredAuthentications' ? string[] 'Protocol' ? long(1..2) 'ProxyCommand' ? string + 'ProxyJump' ? string[] 'ProxyUseFdpass' ? boolean + 'PubkeyAcceptedKeyTypes' ? temp_ssh_hostkeyalgorithms[] 'PubkeyAuthentication' ? boolean 'RekeyLimit' ? string + 'RemoteCommand' ? string 'RemoteForward' ? string 'RequestTTY' ? string with match (SELF, "^(yes|no|force|auto)$") 'RevokedHostKeys' ? string[] @@ -90,9 +115,11 @@ type ssh_config_opts = { 'SendEnv' ? string[] 'ServerAliveCountMax' ? long(0..) 'ServerAliveInterval' ? long(0..) + 'SetEnv' ? string{} 'StreamLocalBindMask' ? string 'StreamLocalBindUnlink' ? boolean 'StrictHostKeyChecking' ? string with match (SELF, "^(yes|no|ask)$") + 'SyslogFacility' ? string with match(SELF, "^(DAEMON|USER|AUTH(PRIV)?|LOCAL[0-7])$") 'TCPKeepAlive' ? boolean 'Tunnel' ? string with match (SELF, "^(yes|no|point-to-point|ethernet)$") 'TunnelDevice' ? string @@ -108,13 +135,27 @@ type ssh_config_opts = { type ssh_config_host = { "hostnames" : string[] include ssh_config_opts +}; +type ssh_config_match_criteria = { + "all" ? boolean with SELF + "canonical" ? boolean with SELF + "final" ? boolean with SELF + "user" ? string[] + "localuser" ? string[] + "host" ? string[] + "originalhost" ? string[] + "exec" ? string +} with { + if (exists(SELF['all']) && length(SELF) > 1) { + error('You can only set all, no other options allowed'); + }; + true; }; type ssh_config_match = { - "matches" : string[] + "criteria" : ssh_config_match_criteria with length(SELF) > 0 include ssh_config_opts - }; type ssh_config_file = { @@ -123,3 +164,130 @@ type ssh_config_file = { 'main' ? ssh_config_opts }; +# Not all options may appear inside a Match block +type sshd_config_match_opts = { + 'AcceptEnv' ? string[] + 'AllowAgentForwarding' ? boolean + 'AllowGroups' ? string[] + 'AllowStreamLocalForwarding' ? string with match (SELF, "^(yes|all|no|local|remote)$") + 'AllowTcpForwarding' ? string with match (SELF, "^(yes|all|no|local|remote)$") + 'AllowUsers' ? string[] + 'AuthenticationMethods' ? string[] # Don't go into details - it does not seem to worth the effort + 'AuthorizedKeysCommand' ? absolute_file_path + 'AuthorizedKeysCommandUser' ? string + 'AuthorizedKeysFile' ? string[] + 'AuthorizedPrincipalsCommand' ? absolute_file_path + 'AuthorizedPrincipalsCommandUser' ? string + 'AuthorizedPrincipalsFile' ? string[] + 'Banner' ? string + 'ChrootDirectory' ? string + 'ClientAliveCountMax' ? long(1..) + 'ClientAliveInterval' ? long(0..) + 'DenyGroups' ? string[] + 'DenyUsers' ? string[] + 'ForceCommand' ? string + 'GatewayPorts' ? string with match (SELF, "^(yes|no|clientspecified)$") + 'GSSAPIAuthentication' ? boolean + 'HostbasedAcceptedKeyTypes' ? temp_ssh_hostkeyalgorithms[] + 'HostbasedAuthentication' ? boolean + 'HostbasedUsesNameFromPacketOnly' ? boolean + 'IPQoS' ? string[] with length(SELF) == 1 || length(SELF) == 2 + 'KbdInteractiveAuthentication' ? boolean + 'KerberosAuthentication' ? boolean + 'LogLevel' ? string with match (SELF, "^(QUIET|FATAL|ERROR|INFO|VERBOSE|DEBUG[123]?)$") + 'MaxAuthTries' ? long(1..) + 'MaxSessions' ? long(0..) + 'PasswordAuthentication' ? boolean + 'PermitEmptyPasswords' ? boolean + 'PermitListen' ? string[] # type_hostport would not allow wildcards + 'PermitOpen' ? string[] # type_hostport would not allow wildcards + 'PermitRootLogin' ? string with match (SELF, "^(yes|prohibit-password|without-password|forced-commands-only|no)$") + 'PermitTTY' ? boolean + 'PermitTunnel' ? string with match (SELF, "^(yes|point-to-point|ethernet|no)$") + 'PermitUserRC' ? boolean + 'PubkeyAcceptedKeyTypes' ? temp_ssh_hostkeyalgorithms[] + 'PubkeyAuthentication' ? boolean + 'RekeyLimit' ? string[] with length(SELF) == 1 || length(SELF) == 2 + 'RSAAuthentication' ? boolean + 'RhostsRSAAuthentication' ? boolean + 'RevokedKeys' ? string + 'RDomain' ? string + 'SetEnv' ? string{} + 'StreamLocalBindMask' ? string with match (SELF, "^[0-7]{3,5}$") + 'StreamLocalBindUnlink' ? boolean + 'TrustedUserCAKeys' ? string + 'X11DisplayOffset' ? long(0..) + 'X11Forwarding' ? boolean + 'X11UseLocalHost' ? boolean +}; + +type sshd_config_match_criteria = { + "All" ? boolean with SELF + "User" ? string[] + "Group" ? string[] + "Host" ? string[] + "LocalAddress" ? string[] + "LocalPort" ? string[] + "RDomain" ? string[] + "Address" ? string[] +} with { + if (exists(SELF['All']) && length(SELF) > 1) { + error('You can only set All, no other options allowed'); + }; + true; +}; + +type sshd_config_match = { + "criteria" : sshd_config_match_criteria with length(SELF) > 0 + include sshd_config_match_opts +}; + +type sshd_config_opts = { + include sshd_config_match_opts + 'AddressFamily' ? string with match (SELF, "^(any|inet|inet6)$") + 'CASignatureAlgorithms' ? temp_ssh_CAAlgorithms[] + 'ChallengeResponseAuthentication' ? boolean + 'Ciphers' ? temp_ssh_ciphers[] + 'Compression' ? boolean + 'DisableForwarding' ? boolean + 'ExposeAuthInfo' ? boolean + 'FingerprintHash' ? string with match (SELF, "^(md5|sha256)$") + 'GSSAPICleanupCredentials' ? boolean + 'GSSAPIKeyExchange' ? boolean + 'GSSAPIKexAlgorithms' ? temp_ssh_gss_kexalgorithms[] + 'GSSAPIStrictAcceptorCheck' ? boolean + 'GSSAPIStoreCredentialsOnRekey' ? boolean + 'HostCertificate' ? string + 'HostKey' ? string[] + 'HostKeyAgent' ? string + 'HostKeyAlgorithms' ? temp_ssh_hostkeyalgorithms[] + 'IgnoreRhosts' ? boolean + 'IgnoreUserKnownHosts' ? boolean + 'KerberosGetAFSToken' ? boolean + 'KerberosOrLocalPasswd' ? boolean + 'KerberosTicketCleanup' ? boolean + 'KexAlgorithms' ? temp_ssh_kexalgorithms[] + 'ListenAddress' ? type_hostport[] + 'LoginGraceTime' ? long(0..) + 'MACs' ? temp_ssh_MACs[] + 'Match' ? sshd_config_match[] + 'MaxStartups' ? string with match (SELF, "^[0-9]+(:[0-9]+:[0-9]+)?$") + 'PermitUserEnvironment' ? boolean + 'PidFile' ? absolute_file_path + 'Port' ? long(1..)[] + 'PrintLastLog' ? boolean + 'PrintMotd' ? boolean + 'StrictModes' ? boolean + 'Subsystem' ? string{} + 'SyslogFacility' ? string with match (SELF, "^(DAEMON|USER|AUTH|LOCAL[0-7])$") + 'TCPKeepAlive' ? boolean + 'UseDNS' ? boolean + 'UsePAM' ? boolean + 'VersionAddendum' ? string + 'XAuthLocation' ? absolute_file_path +}; + +type sshd_config_file = { + 'Match' ? sshd_config_match[] + 'main' ? sshd_config_opts +}; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan new file mode 100644 index 0000000000..2e1d20c2e3 --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan @@ -0,0 +1,14 @@ +unique template metaconfig/ssh/server_config; + +include 'metaconfig/ssh/schema'; + +bind "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents" = sshd_config_file; + +# since final locks the whole path, bind it to a fix value and set it as default too +bind "/software/components/metaconfig/commands/sshd_test_stdin" = + string = "/usr/sbin/sshd -t -f /dev/stdin" with SELF == "/usr/sbin/sshd -t -f /dev/stdin"; + +prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}"; +"module" = "ssh/server"; +"actions/test" = "sshd_test_stdin"; +"daemons/sshd" = "restart"; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/server.tt b/ncm-metaconfig/src/main/metaconfig/ssh/server.tt new file mode 100644 index 0000000000..c33d9f7c39 --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/server.tt @@ -0,0 +1,7 @@ + +[% INCLUDE metaconfig/ssh/server_attrs.tt data=main -%] + +[% FOREACH mt IN Match -%] +[% INCLUDE metaconfig/ssh/match.tt %] +[% INCLUDE metaconfig/ssh/server_attrs.tt data=mt FILTER indent %] +[% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt new file mode 100644 index 0000000000..e362e817f7 --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt @@ -0,0 +1,32 @@ +[% # different forms of list handling, default for list type is space separated + commalist = ['Ciphers', 'HostKeyAlgorithms', 'HostbasedAcceptedKeyTypes', 'KexAlgorithms', 'MACs', 'PubkeyAcceptedKeyTypes' ]; + multilinelist = ['HostKey', 'ListenAddress', 'Port' ] + -%] +[%- FOREACH pair IN data.pairs -%] +[% SWITCH pair.key -%] +[% CASE 'criteria' %][% # do nothing -%] +[% CASE commalist -%] +[% pair.key %] [% pair.value.join(',') %] +[% CASE multilinelist -%] +[% FOREACH line IN pair.value -%] +[% pair.key %] [% line %] +[% END -%] +[% CASE 'Subsystem' -%] +[% FOREACH item IN pair.value.pairs -%] +Subsystem [% item.key %] [% item.value %] +[% END -%] +[% CASE 'SetEnv' -%] +[% FOREACH item IN pair.value.pairs -%] +SetEnv [% item.key %]="[% item.value %]" +[% END -%] +[% CASE -%] +[% pair.key %] [% -%] +[% IF pair.value.is_boolean -%] +[% pair.value ? 'yes' : 'no' -%] +[% ELSIF CCM.is_list(pair.value) -%] +[% pair.value.join(' ') -%] +[% ELSE -%] +[% pair.value -%] +[% END -%] +[% END %] +[% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_allopts.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_allopts.pan index dc93c9c719..4d33f2cf91 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_allopts.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_allopts.pan @@ -4,13 +4,17 @@ include 'metaconfig/ssh/client_config'; prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents"; +"main/AddKeysToAgent" = "confirm"; "main/AddressFamily" = "any"; "main/BatchMode" = true; "main/BindAddress" = "192.168.1.1"; +"main/BindInterface" = "eth0"; +"main/CASignatureAlgorithms" = list("ssh-ed25519", "rsa-sha2-512"); "main/CanonicalDomains" = list(".com", ".eu"); "main/CanonicalizeFallbackLocal" = true; "main/CanonicalizeHostname" = "always"; "main/CanonicalizePermittedCNAMEs" = list("*.a.example.com:*.b.example.com", "*.c.example.com"); +"main/CertificateFile" = list("/absolute/path", "~/home/relative"); "main/ChallengeResponseAuthentication" = false; "main/CheckHostIP" = true; "main/Cipher" = "3des"; @@ -35,7 +39,12 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents" "main/GatewayPorts" = false; "main/GlobalKnownHostsFile" = list("/etc/ssh/ssh_known_hosts", "/etc/ssh/ssh_known_hosts2"); "main/GSSAPIAuthentication" = false; +"main/GSSAPIClientIdentity" = "custom"; "main/GSSAPIDelegateCredentials" = false; +"main/GSSAPIKeyExchange" = true; +"main/GSSAPIRenewalForcesRekey" = true; +"main/GSSAPIServerIdentity" = "server@principal"; +"main/GSSAPITrustDns" = false; "main/HashKnownHosts" = false; "main/HostbasedAuthentication" = true; "main/HostbasedKeyTypes" = list("*"); @@ -43,8 +52,10 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents" "main/HostKeyAlias" = "hostname2"; "main/HostName" = "%h"; "main/IdentitiesOnly" = true; +"main/IdentityAgent" = "none"; "main/IdentityFile" = list("~/.ssh/identity", "~/.ssh/id_rsa", "~/.ssh/id_dsa"); "main/IgnoreUnknown" = list("IPQoS", "KbdInteractiveAuthentication"); +"main/Include" = list("/absolute/path", "~/home/relative", "sshconf_relative"); "main/IPQoS" = "throughput"; "main/KbdInteractiveAuthentication" = true; "main/KbdInteractiveDevices" = list("pam", "skey"); @@ -62,9 +73,12 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents" "main/PreferredAuthentications" = list("gssapi-with-mic", "hostbased", "publickey"); "main/Protocol" = 2; "main/ProxyCommand" = "ssh -q -W %h:%p gateway.example.com"; +"main/ProxyJump" = list("user1@host1", "user2@host2"); "main/ProxyUseFdpass" = false; +"main/PubkeyAcceptedKeyTypes" = list("-ssh-rsa"); "main/PubkeyAuthentication" = true; "main/RekeyLimit" = "1G"; +"main/RemoteCommand" = "cat /etc/motd"; "main/RemoteForward" = "*"; "main/RequestTTY" = "force"; "main/RevokedHostKeys" = list("~/.ssh/revokedkeys.txt"); @@ -73,9 +87,11 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents" "main/SendEnv" = list("LANG", "LC_CTYPE", "LC_NUMERIC", "LC_TIME"); "main/ServerAliveCountMax" = 4; "main/ServerAliveInterval" = 0; +"main/SetEnv" = dict("LC_ALL", "C", "TERM", "xterm"); "main/StreamLocalBindMask" = "0177"; "main/StreamLocalBindUnlink" = false; "main/StrictHostKeyChecking" = "ask"; +"main/SyslogFacility" = "LOCAL1"; "main/TCPKeepAlive" = true; "main/Tunnel" = "ethernet"; "main/TunnelDevice" = "tun0"; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan index d71286553a..189cf65c1f 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan @@ -8,14 +8,17 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents" "main/IdentityFile" = list("~/.ssh/identity", "~/.ssh/id_rsa", "~/.ssh/id_dsa"); "main/Ciphers" = list("aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc"); -'Match' = append( - dict( - "matches", list("user testuser2", "originalhost hostname4"), - "ForwardX11", false, - "BatchMode", true, - "NumberOfPasswordPrompts", 1, - ) - ); +'Match/0' = dict( + "ForwardX11", false, + "BatchMode", true, + "NumberOfPasswordPrompts", 1, +); +'Match/0/criteria' = dict( + "user", list("testuser2"), + "originalhost", list("hostname4"), + "exec", "/a/b/c", + "canonical", true, +); 'Host' = append( dict( @@ -41,7 +44,8 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents" "hostnames", list("*"), "GSSAPIAuthentication", true, "ForwardX11Trusted", true, - "SendEnv", list("LANG", "LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_ALL", "LC_MESSAGES", "LANGUAGE", "XMODIFIERS"), + "SendEnv", list("LANG", "LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_ALL", + "LC_MESSAGES", "LANGUAGE", "XMODIFIERS"), ) ); diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_allopts.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_allopts.pan new file mode 100644 index 0000000000..d8d2f5d3cc --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_allopts.pan @@ -0,0 +1,96 @@ +object template server_allopts; + +include 'metaconfig/ssh/server_config'; + +prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents"; + +"main/AcceptEnv" = list("LC_CTYPE", "LANG", "TERM"); +"main/AddressFamily" = "any"; +"main/AllowAgentForwarding" = false; +"main/AllowGroups" = list("wheel"); +"main/AllowStreamLocalForwarding" = "local"; +"main/AllowTcpForwarding" = "local"; +"main/AllowUsers" = list("quattor"); +"main/AuthenticationMethods" = list("any"); +"main/AuthorizedKeysCommand" = "/usr/sbin/key-lookup"; +"main/AuthorizedKeysCommandUser" = "keyuser"; +"main/AuthorizedKeysFile" = list("/etc/ssh/authorized_keys", ".ssh/authorized_keys"); +"main/AuthorizedPrincipalsCommand" = "/usr/sbin/principal-lookup"; +"main/AuthorizedPrincipalsCommandUser" = "princuser"; +"main/AuthorizedPrincipalsFile" = list("/etc/ssh/x509_users", ".ssh/x509_users"); +"main/Banner" = "Configured by Quattor"; +"main/ChallengeResponseAuthentication" = false; +"main/ChrootDirectory" = "/srv/ssh"; +"main/Ciphers" = list("chacha20-poly1305@openssh.com", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc"); +"main/ClientAliveCountMax" = 3; +"main/ClientAliveInterval" = 30; +"main/Compression" = false; +"main/DenyGroups" = list("adm"); +"main/DenyUsers" = list("root"); +"main/DisableForwarding" = false; +"main/ExposeAuthInfo" = false; +"main/FingerprintHash" = "sha256"; +"main/ForceCommand" = "cat /etc/motd"; +"main/GatewayPorts" = "clientspecified"; +"main/GSSAPIAuthentication" = true; +"main/GSSAPICleanupCredentials" = true; +"main/GSSAPIKeyExchange" = true; +"main/GSSAPIStrictAcceptorCheck" = true; +"main/GSSAPIStoreCredentialsOnRekey" = true; +"main/HostbasedAcceptedKeyTypes" = list("-ssh-rsa"); +"main/HostbasedAuthentication" = true; +"main/HostbasedUsesNameFromPacketOnly" = false; +"main/HostCertificate" = "/etc/ssh/ssh_host_cert.pem"; +"main/HostKey" = list("/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_ed25519_key"); +"main/HostKeyAgent" = "/run/ssh/key_agent.socket"; +"main/HostKeyAlgorithms" = list("ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521"); +"main/IPQoS" = list("lowdelay", "throughput"); +"main/IgnoreRhosts" = true; +"main/IgnoreUserKnownHosts" = true; +"main/KbdInteractiveAuthentication" = true; +"main/KerberosAuthentication" = false; +"main/KerberosGetAFSToken" = false; +"main/KerberosOrLocalPasswd" = false; +"main/KerberosTicketCleanup" = true; +"main/KexAlgorithms" = list("ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521"); +"main/ListenAddress" = list("127.0.0.1:22", "192.168.0.1:22", "192.168.0.1:2200"); +"main/LogLevel" = "DEBUG3"; +"main/LoginGraceTime" = 60; +"main/MACs" = list("hmac-sha1-96-etm@openssh.com", "hmac-md5-96-etm@openssh.com"); +"main/MaxAuthTries" = 3; +"main/MaxSessions" = 10; +"main/MaxStartups" = "10:30:100"; +"main/PasswordAuthentication" = false; +"main/PermitEmptyPasswords" = false; +"main/PermitListen" = list("8080", "127.0.0.1:*"); +"main/PermitOpen" = list("8080", "192.168.0.1:*"); +"main/PermitRootLogin" = "prohibit-password"; +"main/PermitTTY" = true; +"main/PermitTunnel" = "point-to-point"; +"main/PermitUserEnvironment" = false; +"main/PermitUserRC" = false; +"main/PidFile" = "/run/sshd.pid"; +"main/Port" = list(22, 2200); +"main/PrintLastLog" = true; +"main/PrintMotd" = true; +"main/PubkeyAcceptedKeyTypes" = list("-ssh-rsa"); +"main/PubkeyAuthentication" = true; +"main/RDomain" = "%D"; +"main/RSAAuthentication" = false; +"main/RekeyLimit" = list("1G", "300s"); +"main/RevokedKeys" = "/etc/ssh/revoked_keys"; +"main/RhostsRSAAuthentication" = false; +"main/SetEnv" = dict("LC_ALL", "C", "TERM", "xterm"); +"main/StreamLocalBindMask" = "0177"; +"main/StreamLocalBindUnlink" = false; +"main/Subsystem" = dict("sftp", "internal-sftp"); +"main/SyslogFacility" = "AUTH"; +"main/TCPKeepAlive" = true; +"main/TrustedUserCAKeys" = "/etc/ssh/trusted_cas"; +"main/UseDNS" = true; +"main/UsePAM" = true; +"main/VersionAddendum" = "extra"; +"main/X11DisplayOffset" = 10; +"main/X11Forwarding" = true; +"main/X11UseLocalHost" = true; +"main/XAuthLocation" = "/usr/bin/xauth"; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan new file mode 100644 index 0000000000..31082acf6f --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan @@ -0,0 +1,27 @@ +object template server_config; + +# add this to test the actions/commands to trigger the main metaconfig bind +function pkg_repl = { null; }; +include 'components/metaconfig/config'; +# remove the dependencies +'/software/components/metaconfig/dependencies' = null; + +include 'metaconfig/ssh/server_config'; + +prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents"; + +"main/AddressFamily" = "any"; +"main/Ciphers" = list("aes128-ctr", "aes192-ctr", "aes256-ctr"); +"main/PasswordAuthentication" = false; +"main/Subsystem" = dict("sftp", "internal-sftp"); + +"Match/0/criteria" = dict( + "User", list("testuser2"), + "Address", list("192.168.0.0/16", "!192.168.10.0/24"), + ); +"Match/0/PasswordAuthentication" = true; + +"Match/1/criteria" = dict( + "All", true, + ); +"Match/1/PasswordAuthentication" = false; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base index 9c9de6832a..bc7c873a04 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_allopts/base @@ -2,19 +2,23 @@ Base test for all ssh client config options --- /etc/ssh/ssh_config --- +^AddKeysToAgent\sconfirm$ ^AddressFamily\sany$ -^BatchMode\sYes$ +^BatchMode\syes$ ^BindAddress\s192\.168\.1\.1$ +^CASignatureAlgorithms\sssh-ed25519,rsa-sha2-512$ ^CanonicalDomains\s\.com,\.eu$ -^CanonicalizeFallbackLocal\sYes$ +^CanonicalizeFallbackLocal\syes$ ^CanonicalizeHostname\salways$ ^CanonicalizePermittedCNAMEs\s\*\.a\.example\.com:\*\.b\.example\.com,\*\.c\.example\.com$ -^ChallengeResponseAuthentication\sNo$ -^CheckHostIP\sYes$ +^CertificateFile\s/absolute/path$ +^CertificateFile\s~/home/relative$ +^ChallengeResponseAuthentication\sno$ +^CheckHostIP\syes$ ^Cipher\s3des$ ^Ciphers\schacha20-poly1305@openssh\.com,arcfour256,arcfour128,aes128-cbc,3des-cbc$ -^ClearAllForwardings\sYes$ -^Compression\sNo$ +^ClearAllForwardings\syes$ +^Compression\sno$ ^CompressionLevel\s7$ ^ConnectTimeout\s10$ ^ConnectionAttempts\s3$ @@ -22,67 +26,80 @@ Base test for all ssh client config options ^ControlPath\s%l%h%p%r$ ^ControlPersist\sno$ ^DynamicForward\s192\.168\.1\.2$ -^EnableSSHKeysign\sYes$ +^EnableSSHKeysign\syes$ ^EscapeChar\s~$ -^ExitOnForwardFailure\sYes$ +^ExitOnForwardFailure\syes$ ^FingerprintHash\ssha256$ -^ForwardAgent\sYes$ -^ForwardX11\sNo$ +^ForwardAgent\syes$ +^ForwardX11\sno$ ^ForwardX11Timeout\s10$ -^ForwardX11Trusted\sNo$ -^GSSAPIAuthentication\sNo$ -^GSSAPIDelegateCredentials\sNo$ -^GatewayPorts\sNo$ +^ForwardX11Trusted\sno$ +^GSSAPIAuthentication\sno$ +^GSSAPIClientIdentity\scustom$ +^GSSAPIDelegateCredentials\sno$ +^GSSAPIKeyExchange\syes$ +^GSSAPIRenewalForcesRekey\syes$ +^GSSAPIServerIdentity\sserver@principal$ +^GSSAPITrustDns\sno$ +^GatewayPorts\sno$ ^GlobalKnownHostsFile\s/etc/ssh/ssh_known_hosts\s/etc/ssh/ssh_known_hosts2$ -^HashKnownHosts\sNo$ +^HashKnownHosts\sno$ ^HostKeyAlgorithms\sssh-rsa-cert-v01@openssh\.com,ssh-dss-cert-v01@openssh\.com$ ^HostKeyAlias\shostname2$ ^HostName\s%h$ -^HostbasedAuthentication\sYes$ +^HostbasedAuthentication\syes$ ^HostbasedKeyTypes\s\*$ ^IPQoS\sthroughput$ -^IdentitiesOnly\sYes$ +^IdentitiesOnly\syes$ +^IdentityAgent\snone$ ^IdentityFile\s~/\.ssh/identity$ ^IdentityFile\s~/\.ssh/id_rsa$ ^IdentityFile\s~/\.ssh/id_dsa$ ^IgnoreUnknown\sIPQoS\sKbdInteractiveAuthentication$ -^KbdInteractiveAuthentication\sYes$ +^Include\s/absolute/path\s~/home/relative\ssshconf_relative$ +^KbdInteractiveAuthentication\syes$ ^KbdInteractiveDevices\spam,skey$ ^KexAlgorithms\secdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521$ ^LocalCommand\sls$ ^LocalForward\s\*$ ^LogLevel\sDEBUG3$ ^MACs\shmac-sha1-96-etm@openssh\.com,hmac-md5-96-etm@openssh\.com$ -^NoHostAuthenticationForLocalhost\sYes$ +^NoHostAuthenticationForLocalhost\syes$ ^NumberOfPasswordPrompts\s9$ ^PKCS11Provider\s/usr/lib/opensc-pkcs11\.so$ -^PasswordAuthentication\sNo$ -^PermitLocalCommand\sNo$ +^PasswordAuthentication\sno$ +^PermitLocalCommand\sno$ ^Port\s22$ ^PreferredAuthentications\sgssapi-with-mic,hostbased,publickey$ ^Protocol\s2$ ^ProxyCommand\sssh\s-q\s-W\s%h:%p\sgateway\.example\.com$ -^ProxyUseFdpass\sNo$ -^PubkeyAuthentication\sYes$ -^RSAAuthentication\sYes$ +^ProxyJump\suser1@host1,user2@host2$ +^ProxyUseFdpass\sno$ +^PubkeyAcceptedKeyTypes\s-ssh-rsa$ +^PubkeyAuthentication\syes$ +^RSAAuthentication\syes$ ^RekeyLimit\s1G$ +^RemoteCommand\scat /etc/motd$ ^RemoteForward\s\*$ ^RequestTTY\sforce$ ^RevokedHostKeys\s~/\.ssh/revokedkeys\.txt$ -^RhostsRSAAuthentication\sYes$ +^RhostsRSAAuthentication\syes$ ^SendEnv\sLANG\sLC_CTYPE\sLC_NUMERIC\sLC_TIME$ ^ServerAliveCountMax\s4$ ^ServerAliveInterval\s0$ +^SetEnv\sLC_ALL="C"$ +^SetEnv\sTERM="xterm"$ ^StreamLocalBindMask\s0177$ -^StreamLocalBindUnlink\sNo$ +^StreamLocalBindUnlink\sno$ ^StrictHostKeyChecking\sask$ -^TCPKeepAlive\sYes$ +^SyslogFacility\sLOCAL1$ +^TCPKeepAlive\syes$ ^Tunnel\sethernet$ ^TunnelDevice\stun0$ ^UpdateHostKeys\sask$ -^UsePrivilegedPort\sNo$ +^UsePrivilegedPort\sno$ ^User\stestuser$ ^UserKnownHostsFile\s~/\.ssh/known_hosts\s~/\.ssh/known_hosts2$ ^VerifyHostKeyDNS\sask$ -^VisualHostKey\sYes$ +^VisualHostKey\syes$ ^XAuthLocation\s/usr/X11R6/bin/xauth$ diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base index 2274ae0dfe..2eea216f04 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base @@ -7,22 +7,23 @@ Base test for ssh client config ^IdentityFile\s~/.ssh/identity$ ^IdentityFile\s~/.ssh/id_rsa$ ^IdentityFile\s~/.ssh/id_dsa$ -^ -^Match\suser\stestuser2\soriginalhost\shostname4$ -^\s{4}BatchMode\sYes$ -^\s{4}ForwardX11\sNo$ +^$ +^Match\scanonical\sexec\s/a/b/c\soriginalhost\shostname4\suser\stestuser2$ +^\s{4}BatchMode\syes$ +^\s{4}ForwardX11\sno$ ^\s{4}NumberOfPasswordPrompts\s1$ -^ +^$ ^Host\shostname.example.com\shostname4.example.com$ ^\s{4}ProxyCommand\sssh\s-q\s-W\s%h:%p\sgateway.example.com$ ^\s{4}User\stestuser$ -^ +^$ ^Host\shostname2.example.com$ ^\s{4}ProxyCommand\sssh\s-q\s-W\s%h:%p\sgateway2.example.com$ ^\s{4}User\stestuser$ ^\s{4}VerifyHostKeyDNS\sask$ -^ +^$ ^Host\s\*$ -^\s{4}ForwardX11Trusted\sYes$ -^\s{4}GSSAPIAuthentication\sYes$ +^\s{4}ForwardX11Trusted\syes$ +^\s{4}GSSAPIAuthentication\syes$ ^\s{4}SendEnv\sLANG\sLC_CTYPE\sLC_NUMERIC\sLC_TIME\sLC_ALL\sLC_MESSAGES\sLANGUAGE\sXMODIFIERS$ +^$ diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base new file mode 100644 index 0000000000..53edd24c04 --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_allopts/base @@ -0,0 +1,99 @@ +Base test for all ssh server config options +--- +/etc/ssh/sshd_config +--- +^AcceptEnv\sLC_CTYPE\sLANG\sTERM$ +^AddressFamily\sany$ +^AllowAgentForwarding\sno$ +^AllowGroups\swheel$ +^AllowStreamLocalForwarding\slocal$ +^AllowTcpForwarding\slocal$ +^AllowUsers\squattor$ +^AuthenticationMethods\sany$ +^AuthorizedKeysCommand\s/usr/sbin/key-lookup$ +^AuthorizedKeysCommandUser\skeyuser$ +^AuthorizedKeysFile\s/etc/ssh/authorized_keys\s\.ssh/authorized_keys$ +^AuthorizedPrincipalsCommand\s/usr/sbin/principal-lookup$ +^AuthorizedPrincipalsCommandUser\sprincuser$ +^AuthorizedPrincipalsFile\s/etc/ssh/x509_users\s\.ssh/x509_users$ +^Banner\sConfigured by Quattor$ +^ChallengeResponseAuthentication\sno$ +^ChrootDirectory\s/srv/ssh$ +^Ciphers\schacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc$ +^ClientAliveCountMax\s3$ +^ClientAliveInterval\s30$ +^Compression\sno$ +^DenyGroups\sadm$ +^DenyUsers\sroot$ +^DisableForwarding\sno$ +^ExposeAuthInfo\sno$ +^FingerprintHash\ssha256$ +^ForceCommand\scat\s/etc/motd$ +^GSSAPIAuthentication\syes$ +^GSSAPICleanupCredentials\syes$ +^GSSAPIKeyExchange\syes$ +^GSSAPIStoreCredentialsOnRekey\syes$ +^GSSAPIStrictAcceptorCheck\syes$ +^GatewayPorts\sclientspecified$ +^HostCertificate\s/etc/ssh/ssh_host_cert.pem$ +^HostKey\s/etc/ssh/ssh_host_rsa_key$ +^HostKey\s/etc/ssh/ssh_host_ed25519_key$ +^HostKeyAgent\s/run/ssh/key_agent\.socket$ +^HostKeyAlgorithms\secdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521$ +^HostbasedAcceptedKeyTypes\s-ssh-rsa$ +^HostbasedAuthentication\syes$ +^HostbasedUsesNameFromPacketOnly\sno$ +^IPQoS\slowdelay\sthroughput$ +^IgnoreRhosts\syes$ +^IgnoreUserKnownHosts\syes$ +^KbdInteractiveAuthentication\syes$ +^KerberosAuthentication\sno$ +^KerberosGetAFSToken\sno$ +^KerberosOrLocalPasswd\sno$ +^KerberosTicketCleanup\syes$ +^KexAlgorithms\secdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521$ +^ListenAddress\s127\.0\.0\.1:22$ +^ListenAddress\s192\.168\.0\.1:22$ +^ListenAddress\s192\.168\.0\.1:2200$ +^LogLevel\sDEBUG3$ +^LoginGraceTime\s60$ +^MACs\shmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com$ +^MaxAuthTries\s3$ +^MaxSessions\s10$ +^MaxStartups\s10:30:100$ +^PasswordAuthentication\sno$ +^PermitEmptyPasswords\sno$ +^PermitListen\s8080\s127\.0\.0\.1:\*$ +^PermitOpen\s8080\s192\.168\.0\.1:\*$ +^PermitRootLogin\sprohibit-password$ +^PermitTTY\syes$ +^PermitTunnel\spoint-to-point$ +^PermitUserEnvironment\sno$ +^PermitUserRC\sno$ +^PidFile\s/run/sshd\.pid$ +^Port\s22$ +^Port\s2200$ +^PrintLastLog\syes$ +^PrintMotd\syes$ +^PubkeyAcceptedKeyTypes\s-ssh-rsa$ +^PubkeyAuthentication\syes$ +^RDomain\s%D$ +^RSAAuthentication\sno$ +^RekeyLimit\s1G\s300s$ +^RevokedKeys\s/etc/ssh/revoked_keys$ +^RhostsRSAAuthentication\sno$ +^SetEnv\sLC_ALL="C"$ +^SetEnv\sTERM="xterm"$ +^StreamLocalBindMask\s0177$ +^StreamLocalBindUnlink\sno$ +^Subsystem\ssftp\sinternal-sftp$ +^SyslogFacility\sAUTH$ +^TCPKeepAlive\syes$ +^TrustedUserCAKeys\s/etc/ssh/trusted_cas$ +^UseDNS\syes$ +^UsePAM\syes$ +^VersionAddendum\sextra$ +^X11DisplayOffset\s10$ +^X11Forwarding\syes$ +^X11UseLocalHost\syes$ +^XAuthLocation\s/usr/bin/xauth$ diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base new file mode 100644 index 0000000000..1e6466e7f8 --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base @@ -0,0 +1,11 @@ +Base test for ssh server config +--- +/etc/ssh/sshd_config +--- +^AddressFamily\sany$ +^Ciphers\saes128-ctr,aes192-ctr,aes256-ctr$ +^PasswordAuthentication\sno$ +^Match\sAddress\s192.168.0.0/16,!192.168.10.0/24\sUser\stestuser2$ +^\s{4}PasswordAuthentication\syes$ +^Match\sAll$ +^\s{4}PasswordAuthentication\sno$