Skip to content

Commit

Permalink
Merge pull request #1802 from jrha/cleanup-metaconfig-ssh
Browse files Browse the repository at this point in the history
ncm-metaconfig: ssh: Fix wrapping and indentation in pan
  • Loading branch information
jrha authored Dec 16, 2024
2 parents 1641345 + b46b580 commit 930c81b
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 49 deletions.
18 changes: 12 additions & 6 deletions ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan
Original file line number Diff line number Diff line change
Expand Up @@ -8,25 +8,31 @@ include 'pan/types';
type temp_ssh_ciphers = string with match (SELF, "^[+-]?(" +
"(blowfish|3des|aes(128|192|256)|cast128)-cbc" +
"|aes(128|192|256)-ctr|arcfour|arcfour(128|256)" +
"|(aes(128|256)-gcm|chacha20-poly1305)@openssh.com)$");
"|(aes(128|256)-gcm|chacha20-poly1305)@openssh.com)$"
);
type temp_ssh_hostkeyalgorithms = string with match(SELF, "^[+-]?(" +
"ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp(256|384|521)|" +
"(ssh-rsa-cert-v0[01]|ssh-dss-cert-v01|ecdsa-sha2-nistp(256|384|521)-cert-v01|" +
"ssh-dss-cert-v00|ssh-ed25519-cert-v01)@openssh.com)$");
"ssh-dss-cert-v00|ssh-ed25519-cert-v01)@openssh.com)$"
);
type temp_ssh_kbdinteractivedevices = string with match (SELF, "^(bsdauth|pam|skey)$");
# Recent versions have distinct GSSAPIKexAlgorithms
type temp_ssh_gss_kexalgorithms = string with match (SELF, "^[+-]?(gss-(gex|group1|group14)-sha1-" +
"|gss-group14-sha256-|gss-group16-sha512-|gss-nistp256-sha256-|gss-curve25519-sha256-)$");
"|gss-group14-sha256-|gss-group16-sha512-|gss-nistp256-sha256-|gss-curve25519-sha256-)$"
);
# Older versions include GSSAPI mechanisms in KEXAlgorithms, but only the SHA1 variants
type temp_ssh_kexalgorithms = string with match (SELF, "^[+-]?(" +
"diffie-hellman-group(1-sha1|14-sha1|-exchange-sha1|-exchange-sha256)" +
"|ecdh-sha2-nistp(256|384|521)|[email protected]" +
"|gss-(gex|group1|group14)-sha1-)$");
"|gss-(gex|group1|group14)-sha1-)$"
);
type temp_ssh_MACs = string with match(SELF, "^[+-]?(hmac-(sha1|sha1-96|sha2-256|sha2-512|md5|md5-96|ripemd160)|" +
"(hmac-ripemd160|umac-64|umac-128|hmac-sha1-etm|hmac-sha1-96-etm|hmac-sha2-256-etm|hmac-sha2-512-etm|" +
"hmac-md5-etm|hmac-md5-96-etm|hmac-ripemd160-etm|umac-64-etm|umac-128-etm)@openssh.com)$");
"hmac-md5-etm|hmac-md5-96-etm|hmac-ripemd160-etm|umac-64-etm|umac-128-etm)@openssh.com)$"
);
type temp_ssh_CAAlgorithms = string with match(SELF, "^[+-]?(" +
"ecdsa-sha2-nistp(256|384|521)|ssh-ed25519|rsa-sha2-(256|512)|ssh-rsa)$");
"ecdsa-sha2-nistp(256|384|521)|ssh-ed25519|rsa-sha2-(256|512)|ssh-rsa)$"
);


type ssh_config_opts = {
Expand Down
5 changes: 3 additions & 2 deletions ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,9 @@ include 'metaconfig/ssh/schema';
bind "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents" = sshd_config_file;

# since final locks the whole path, bind it to a fix value and set it as default too
bind "/software/components/metaconfig/commands/sshd_test_stdin" =
string = "/usr/sbin/sshd -t -f /dev/stdin" with SELF == "/usr/sbin/sshd -t -f /dev/stdin";
bind "/software/components/metaconfig/commands/sshd_test_stdin" = string = "/usr/sbin/sshd -t -f /dev/stdin" with {
SELF == "/usr/sbin/sshd -t -f /dev/stdin"
};

prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}";
"module" = "ssh/server";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,44 +12,30 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents"
"ForwardX11", false,
"BatchMode", true,
"NumberOfPasswordPrompts", 1,
"criteria", dict(
"user", list("testuser2"),
"originalhost", list("hostname4"),
"exec", "/a/b/c",
"canonical", true,
),
);
'Match/0/criteria' = dict(
"user", list("testuser2"),
"originalhost", list("hostname4"),
"exec", "/a/b/c",
"canonical", true,
);

'Host' = append(
dict(
"hostnames", list("hostname.example.com", "hostname4.example.com"),
"ProxyCommand", "ssh -q -W %h:%p gateway.example.com",
"User", "testuser",
)
);


'Host' = append(
dict(
"hostnames", list("hostname2.example.com"),
"ProxyCommand", "ssh -q -W %h:%p gateway2.example.com",
"User", "testuser",
"VerifyHostKeyDNS", "ask",
)
);


'Host' = append(
dict(
"hostnames", list("*"),
"GSSAPIAuthentication", true,
"ForwardX11Trusted", true,
"SendEnv", list("LANG", "LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_ALL",
"LC_MESSAGES", "LANGUAGE", "XMODIFIERS"),
)
);





'Host' = append(dict(
"hostnames", list("hostname.example.com", "hostname4.example.com"),
"ProxyCommand", "ssh -q -W %h:%p gateway.example.com",
"User", "testuser",
));

'Host' = append(dict(
"hostnames", list("hostname2.example.com"),
"ProxyCommand", "ssh -q -W %h:%p gateway2.example.com",
"User", "testuser",
"VerifyHostKeyDNS", "ask",
));

'Host' = append(dict(
"hostnames", list("*"),
"GSSAPIAuthentication", true,
"ForwardX11Trusted", true,
"SendEnv", list("LANG", "LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_ALL", "LC_MESSAGES", "LANGUAGE", "XMODIFIERS"),
));
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,10 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents
"Match/0/criteria" = dict(
"User", list("testuser2"),
"Address", list("192.168.0.0/16", "!192.168.10.0/24"),
);
);
"Match/0/PasswordAuthentication" = true;

"Match/1/criteria" = dict(
"All", true,
);
);
"Match/1/PasswordAuthentication" = false;

0 comments on commit 930c81b

Please sign in to comment.