diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan index ea8a3f608e..29f840dbc6 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan @@ -8,25 +8,31 @@ include 'pan/types'; type temp_ssh_ciphers = string with match (SELF, "^[+-]?(" + "(blowfish|3des|aes(128|192|256)|cast128)-cbc" + "|aes(128|192|256)-ctr|arcfour|arcfour(128|256)" + - "|(aes(128|256)-gcm|chacha20-poly1305)@openssh.com)$"); + "|(aes(128|256)-gcm|chacha20-poly1305)@openssh.com)$" +); type temp_ssh_hostkeyalgorithms = string with match(SELF, "^[+-]?(" + "ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp(256|384|521)|" + "(ssh-rsa-cert-v0[01]|ssh-dss-cert-v01|ecdsa-sha2-nistp(256|384|521)-cert-v01|" + - "ssh-dss-cert-v00|ssh-ed25519-cert-v01)@openssh.com)$"); + "ssh-dss-cert-v00|ssh-ed25519-cert-v01)@openssh.com)$" +); type temp_ssh_kbdinteractivedevices = string with match (SELF, "^(bsdauth|pam|skey)$"); # Recent versions have distinct GSSAPIKexAlgorithms type temp_ssh_gss_kexalgorithms = string with match (SELF, "^[+-]?(gss-(gex|group1|group14)-sha1-" + - "|gss-group14-sha256-|gss-group16-sha512-|gss-nistp256-sha256-|gss-curve25519-sha256-)$"); + "|gss-group14-sha256-|gss-group16-sha512-|gss-nistp256-sha256-|gss-curve25519-sha256-)$" +); # Older versions include GSSAPI mechanisms in KEXAlgorithms, but only the SHA1 variants type temp_ssh_kexalgorithms = string with match (SELF, "^[+-]?(" + "diffie-hellman-group(1-sha1|14-sha1|-exchange-sha1|-exchange-sha256)" + "|ecdh-sha2-nistp(256|384|521)|curve25519-sha256@libssh.org" + - "|gss-(gex|group1|group14)-sha1-)$"); + "|gss-(gex|group1|group14)-sha1-)$" +); type temp_ssh_MACs = string with match(SELF, "^[+-]?(hmac-(sha1|sha1-96|sha2-256|sha2-512|md5|md5-96|ripemd160)|" + "(hmac-ripemd160|umac-64|umac-128|hmac-sha1-etm|hmac-sha1-96-etm|hmac-sha2-256-etm|hmac-sha2-512-etm|" + - "hmac-md5-etm|hmac-md5-96-etm|hmac-ripemd160-etm|umac-64-etm|umac-128-etm)@openssh.com)$"); + "hmac-md5-etm|hmac-md5-96-etm|hmac-ripemd160-etm|umac-64-etm|umac-128-etm)@openssh.com)$" +); type temp_ssh_CAAlgorithms = string with match(SELF, "^[+-]?(" + - "ecdsa-sha2-nistp(256|384|521)|ssh-ed25519|rsa-sha2-(256|512)|ssh-rsa)$"); + "ecdsa-sha2-nistp(256|384|521)|ssh-ed25519|rsa-sha2-(256|512)|ssh-rsa)$" +); type ssh_config_opts = { diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan index 2e1d20c2e3..8c963d618f 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/server_config.pan @@ -5,8 +5,9 @@ include 'metaconfig/ssh/schema'; bind "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents" = sshd_config_file; # since final locks the whole path, bind it to a fix value and set it as default too -bind "/software/components/metaconfig/commands/sshd_test_stdin" = - string = "/usr/sbin/sshd -t -f /dev/stdin" with SELF == "/usr/sbin/sshd -t -f /dev/stdin"; +bind "/software/components/metaconfig/commands/sshd_test_stdin" = string = "/usr/sbin/sshd -t -f /dev/stdin" with { + SELF == "/usr/sbin/sshd -t -f /dev/stdin" +}; prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}"; "module" = "ssh/server"; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan index 189cf65c1f..1e5e5b84ef 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan @@ -12,44 +12,30 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents" "ForwardX11", false, "BatchMode", true, "NumberOfPasswordPrompts", 1, + "criteria", dict( + "user", list("testuser2"), + "originalhost", list("hostname4"), + "exec", "/a/b/c", + "canonical", true, + ), ); -'Match/0/criteria' = dict( - "user", list("testuser2"), - "originalhost", list("hostname4"), - "exec", "/a/b/c", - "canonical", true, -); - -'Host' = append( - dict( - "hostnames", list("hostname.example.com", "hostname4.example.com"), - "ProxyCommand", "ssh -q -W %h:%p gateway.example.com", - "User", "testuser", - ) - ); - - -'Host' = append( - dict( - "hostnames", list("hostname2.example.com"), - "ProxyCommand", "ssh -q -W %h:%p gateway2.example.com", - "User", "testuser", - "VerifyHostKeyDNS", "ask", - ) - ); - - -'Host' = append( - dict( - "hostnames", list("*"), - "GSSAPIAuthentication", true, - "ForwardX11Trusted", true, - "SendEnv", list("LANG", "LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_ALL", - "LC_MESSAGES", "LANGUAGE", "XMODIFIERS"), - ) - ); - - - - +'Host' = append(dict( + "hostnames", list("hostname.example.com", "hostname4.example.com"), + "ProxyCommand", "ssh -q -W %h:%p gateway.example.com", + "User", "testuser", +)); + +'Host' = append(dict( + "hostnames", list("hostname2.example.com"), + "ProxyCommand", "ssh -q -W %h:%p gateway2.example.com", + "User", "testuser", + "VerifyHostKeyDNS", "ask", +)); + +'Host' = append(dict( + "hostnames", list("*"), + "GSSAPIAuthentication", true, + "ForwardX11Trusted", true, + "SendEnv", list("LANG", "LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_ALL", "LC_MESSAGES", "LANGUAGE", "XMODIFIERS"), +)); diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan index 31082acf6f..1b27e5056e 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan @@ -18,10 +18,10 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents "Match/0/criteria" = dict( "User", list("testuser2"), "Address", list("192.168.0.0/16", "!192.168.10.0/24"), - ); +); "Match/0/PasswordAuthentication" = true; "Match/1/criteria" = dict( "All", true, - ); +); "Match/1/PasswordAuthentication" = false;