|
|
c55e75 |
From 1c936bb38d39b238001364e1a7ee5479bdfff053 Mon Sep 17 00:00:00 2001
|
|
|
c2e930 |
From: Dominic Cleal <dcleal@redhat.com>
|
|
|
c2e930 |
Date: Fri, 12 Jun 2015 11:01:57 +0100
|
|
|
c2e930 |
Subject: [PATCH] Sshd: revert Sshd module to 1.1.0-compatible, add Sshd_140
|
|
|
c2e930 |
|
|
|
c2e930 |
In order to keep the default sshd config lens compatible with 1.1.0,
|
|
|
c2e930 |
the lens from 1.4.0 has been kept in the Sshd_140 module and is not
|
|
|
c2e930 |
loaded by default. Use aug_transform, augtool --transform etc. to use
|
|
|
c2e930 |
it instead of Sshd.
|
|
|
c2e930 |
---
|
|
|
c2e930 |
lenses/sshd.aug | 52 ++++++---------
|
|
|
c2e930 |
lenses/sshd_140.aug | 141 +++++++++++++++++++++++++++++++++++++++++
|
|
|
c2e930 |
lenses/tests/test_sshd.aug | 56 ----------------
|
|
|
c2e930 |
lenses/tests/test_sshd_140.aug | 136 +++++++++++++++++++++++++++++++++++++++
|
|
|
c2e930 |
tests/Makefile.am | 1 +
|
|
|
c2e930 |
5 files changed, 298 insertions(+), 88 deletions(-)
|
|
|
c2e930 |
create mode 100644 lenses/sshd_140.aug
|
|
|
c2e930 |
create mode 100644 lenses/tests/test_sshd_140.aug
|
|
|
c2e930 |
|
|
|
c2e930 |
diff --git a/lenses/sshd.aug b/lenses/sshd.aug
|
|
|
c55e75 |
index 55f6c4f7..785102ec 100644
|
|
|
c2e930 |
--- a/lenses/sshd.aug
|
|
|
c2e930 |
+++ b/lenses/sshd.aug
|
|
|
c2e930 |
@@ -70,55 +70,41 @@ module Sshd =
|
|
|
c2e930 |
|
|
|
c2e930 |
let sep = Util.del_ws_spc
|
|
|
c2e930 |
|
|
|
c2e930 |
- let indent = del /[ \t]*/ " "
|
|
|
c2e930 |
-
|
|
|
c2e930 |
let key_re = /[A-Za-z0-9]+/
|
|
|
c2e930 |
- - /MACs|Match|AcceptEnv|Subsystem|Ciphers|KexAlgorithms|(Allow|Deny)(Groups|Users)/i
|
|
|
c2e930 |
+ - /MACs|Match|AcceptEnv|Subsystem|(Allow|Deny)(Groups|Users)/
|
|
|
c2e930 |
|
|
|
c2e930 |
let comment = Util.comment
|
|
|
c2e930 |
- let comment_noindent = Util.comment_noindent
|
|
|
c2e930 |
let empty = Util.empty
|
|
|
c2e930 |
|
|
|
c2e930 |
- let array_entry (kw:regexp) (sq:string) =
|
|
|
c2e930 |
+ let array_entry (k:string) =
|
|
|
c2e930 |
let value = store /[^ \t\n]+/ in
|
|
|
c2e930 |
- [ key kw . [ sep . seq sq . value]* . eol ]
|
|
|
c2e930 |
+ [ key k . [ sep . seq k . value]* . eol ]
|
|
|
c2e930 |
|
|
|
c2e930 |
let other_entry =
|
|
|
c2e930 |
let value = store /[^ \t\n]+([ \t]+[^ \t\n]+)*/ in
|
|
|
c2e930 |
[ key key_re . sep . value . eol ]
|
|
|
c2e930 |
|
|
|
c2e930 |
- let accept_env = array_entry /AcceptEnv/i "AcceptEnv"
|
|
|
c2e930 |
+ let accept_env = array_entry "AcceptEnv"
|
|
|
c2e930 |
|
|
|
c2e930 |
- let allow_groups = array_entry /AllowGroups/i "AllowGroups"
|
|
|
c2e930 |
- let allow_users = array_entry /AllowUsers/i "AllowUsers"
|
|
|
c2e930 |
- let deny_groups = array_entry /DenyGroups/i "DenyGroups"
|
|
|
c2e930 |
- let deny_users = array_entry /DenyUsers/i "DenyUsers"
|
|
|
c2e930 |
+ let allow_groups = array_entry "AllowGroups"
|
|
|
c2e930 |
+ let allow_users = array_entry "AllowUsers"
|
|
|
c2e930 |
+ let deny_groups = array_entry "DenyGroups"
|
|
|
c2e930 |
+ let deny_users = array_entry "DenyUsers"
|
|
|
c2e930 |
|
|
|
c2e930 |
let subsystemvalue =
|
|
|
c2e930 |
let value = store (/[^ \t\n](.*[^ \t\n])?/) in
|
|
|
c2e930 |
[ key /[A-Za-z0-9\-]+/ . sep . value . eol ]
|
|
|
c2e930 |
|
|
|
c2e930 |
let subsystem =
|
|
|
c2e930 |
- [ key /Subsystem/i . sep . subsystemvalue ]
|
|
|
c2e930 |
+ [ key "Subsystem" . sep . subsystemvalue ]
|
|
|
c2e930 |
|
|
|
c2e930 |
- let list (kw:regexp) (sq:string) =
|
|
|
c2e930 |
- let value = store /[^, \t\n]+/ in
|
|
|
c2e930 |
- [ key kw . sep .
|
|
|
c2e930 |
- [ seq sq . value ] .
|
|
|
c2e930 |
- ([ seq sq . Util.del_str "," . value])* .
|
|
|
c2e930 |
+ let macs =
|
|
|
c2e930 |
+ let mac_value = store /[^, \t\n]+/ in
|
|
|
c2e930 |
+ [ key "MACs" . sep .
|
|
|
c2e930 |
+ [ seq "macs" . mac_value ] .
|
|
|
c2e930 |
+ ([ seq "macs" . Util.del_str "," . mac_value])* .
|
|
|
c2e930 |
eol ]
|
|
|
c2e930 |
|
|
|
c2e930 |
- let macs = list /MACs/i "MACs"
|
|
|
c2e930 |
-
|
|
|
c2e930 |
- let ciphers = list /Ciphers/i "Ciphers"
|
|
|
c2e930 |
-
|
|
|
c2e930 |
- let kexalgorithms = list /KexAlgorithms/i "KexAlgorithms"
|
|
|
c2e930 |
-
|
|
|
c2e930 |
- let entry = accept_env | allow_groups | allow_users
|
|
|
c2e930 |
- | deny_groups | subsystem | deny_users
|
|
|
c2e930 |
- | macs | ciphers | kexalgorithms
|
|
|
c2e930 |
- | other_entry
|
|
|
c2e930 |
-
|
|
|
c2e930 |
let condition_entry =
|
|
|
c2e930 |
let value = store /[^ \t\n]+/ in
|
|
|
c2e930 |
[ sep . key /[A-Za-z0-9]+/ . sep . value ]
|
|
|
c2e930 |
@@ -126,15 +112,17 @@ module Sshd =
|
|
|
c2e930 |
let match_cond =
|
|
|
c2e930 |
[ label "Condition" . condition_entry+ . eol ]
|
|
|
c2e930 |
|
|
|
c2e930 |
- let match_entry = indent . (entry | comment_noindent)
|
|
|
c2e930 |
- | empty
|
|
|
c2e930 |
+ let match_entry =
|
|
|
c2e930 |
+ ( comment | empty | (Util.indent . other_entry) )
|
|
|
c2e930 |
|
|
|
c2e930 |
let match =
|
|
|
c2e930 |
- [ key /Match/i . match_cond
|
|
|
c2e930 |
+ [ key "Match" . match_cond
|
|
|
c2e930 |
. [ label "Settings" . match_entry+ ]
|
|
|
c2e930 |
]
|
|
|
c2e930 |
|
|
|
c2e930 |
- let lns = (entry | comment | empty)* . match*
|
|
|
c2e930 |
+ let lns = (comment | empty | accept_env | allow_groups | allow_users
|
|
|
c2e930 |
+ | deny_groups | subsystem | deny_users | macs
|
|
|
c2e930 |
+ | other_entry ) * . match*
|
|
|
c2e930 |
|
|
|
c2e930 |
let xfm = transform lns (incl "/etc/ssh/sshd_config")
|
|
|
c2e930 |
|
|
|
c2e930 |
diff --git a/lenses/sshd_140.aug b/lenses/sshd_140.aug
|
|
|
c2e930 |
new file mode 100644
|
|
|
c55e75 |
index 00000000..8a7f176f
|
|
|
c2e930 |
--- /dev/null
|
|
|
c2e930 |
+++ b/lenses/sshd_140.aug
|
|
|
c2e930 |
@@ -0,0 +1,141 @@
|
|
|
c2e930 |
+(*
|
|
|
c2e930 |
+Module: Sshd_140
|
|
|
c2e930 |
+ Parses /etc/ssh/sshd_config
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ This module is compatible with Augeas 1.4.0, but is not loaded by default.
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+Author: David Lutterkort lutter@redhat.com
|
|
|
c2e930 |
+ Dominique Dumont dominique.dumont@hp.com
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+About: Reference
|
|
|
c2e930 |
+ sshd_config man page.
|
|
|
c2e930 |
+ See http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+About: License
|
|
|
c2e930 |
+ This file is licensed under the LGPL v2+.
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+About: Lens Usage
|
|
|
c2e930 |
+ Sample usage of this lens in augtool:
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ * Get your current setup
|
|
|
c2e930 |
+ > print /files/etc/ssh/sshd_config
|
|
|
c2e930 |
+ ...
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ * Set X11Forwarding to "no"
|
|
|
c2e930 |
+ > set /files/etc/ssh/sshd_config/X11Forwarding "no"
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ More advanced usage:
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ * Set a Match section
|
|
|
c2e930 |
+ > set /files/etc/ssh/sshd_config/Match[1]/Condition/User "foo"
|
|
|
c2e930 |
+ > set /files/etc/ssh/sshd_config/Match[1]/Settings/X11Forwarding "yes"
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ Saving your file:
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ > save
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+About: CAVEATS
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ In sshd_config, Match blocks must be located at the end of the file.
|
|
|
c2e930 |
+ This means that any new "global" parameters (i.e. outside of a Match
|
|
|
c2e930 |
+ block) must be written before the first Match block. By default,
|
|
|
c2e930 |
+ Augeas will write new parameters at the end of the file.
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ I.e. if you have a Match section and no ChrootDirectory parameter,
|
|
|
c2e930 |
+ this command:
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ > set /files/etc/ssh/sshd_config/ChrootDirectory "foo"
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ will be stored in a new node after the Match section and Augeas will
|
|
|
c2e930 |
+ refuse to save sshd_config file.
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ To create a new parameter as the right place, you must first create
|
|
|
c2e930 |
+ a new Augeas node before the Match section:
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ > ins ChrootDirectory before /files/etc/ssh/sshd_config/Match
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ Then, you can set the parameter
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ > set /files/etc/ssh/sshd_config/ChrootDirectory "foo"
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+About: Configuration files
|
|
|
c2e930 |
+ This lens applies to /etc/ssh/sshd_config
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+*)
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+module Sshd_140 =
|
|
|
c2e930 |
+ let eol = del /[ \t]*\n/ "\n"
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let sep = Util.del_ws_spc
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let indent = del /[ \t]*/ " "
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let key_re = /[A-Za-z0-9]+/
|
|
|
c2e930 |
+ - /MACs|Match|AcceptEnv|Subsystem|Ciphers|KexAlgorithms|(Allow|Deny)(Groups|Users)/i
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let comment = Util.comment
|
|
|
c2e930 |
+ let comment_noindent = Util.comment_noindent
|
|
|
c2e930 |
+ let empty = Util.empty
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let array_entry (kw:regexp) (sq:string) =
|
|
|
c2e930 |
+ let value = store /[^ \t\n]+/ in
|
|
|
c2e930 |
+ [ key kw . [ sep . seq sq . value]* . eol ]
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let other_entry =
|
|
|
c2e930 |
+ let value = store /[^ \t\n]+([ \t]+[^ \t\n]+)*/ in
|
|
|
c2e930 |
+ [ key key_re . sep . value . eol ]
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let accept_env = array_entry /AcceptEnv/i "AcceptEnv"
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let allow_groups = array_entry /AllowGroups/i "AllowGroups"
|
|
|
c2e930 |
+ let allow_users = array_entry /AllowUsers/i "AllowUsers"
|
|
|
c2e930 |
+ let deny_groups = array_entry /DenyGroups/i "DenyGroups"
|
|
|
c2e930 |
+ let deny_users = array_entry /DenyUsers/i "DenyUsers"
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let subsystemvalue =
|
|
|
c2e930 |
+ let value = store (/[^ \t\n](.*[^ \t\n])?/) in
|
|
|
c2e930 |
+ [ key /[A-Za-z0-9\-]+/ . sep . value . eol ]
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let subsystem =
|
|
|
c2e930 |
+ [ key /Subsystem/i . sep . subsystemvalue ]
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let list (kw:regexp) (sq:string) =
|
|
|
c2e930 |
+ let value = store /[^, \t\n]+/ in
|
|
|
c2e930 |
+ [ key kw . sep .
|
|
|
c2e930 |
+ [ seq sq . value ] .
|
|
|
c2e930 |
+ ([ seq sq . Util.del_str "," . value])* .
|
|
|
c2e930 |
+ eol ]
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let macs = list /MACs/i "MACs"
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let ciphers = list /Ciphers/i "Ciphers"
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let kexalgorithms = list /KexAlgorithms/i "KexAlgorithms"
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let entry = accept_env | allow_groups | allow_users
|
|
|
c2e930 |
+ | deny_groups | subsystem | deny_users
|
|
|
c2e930 |
+ | macs | ciphers | kexalgorithms
|
|
|
c2e930 |
+ | other_entry
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let condition_entry =
|
|
|
c2e930 |
+ let value = store /[^ \t\n]+/ in
|
|
|
c2e930 |
+ [ sep . key /[A-Za-z0-9]+/ . sep . value ]
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let match_cond =
|
|
|
c2e930 |
+ [ label "Condition" . condition_entry+ . eol ]
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let match_entry = indent . (entry | comment_noindent)
|
|
|
c2e930 |
+ | empty
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let match =
|
|
|
c2e930 |
+ [ key /Match/i . match_cond
|
|
|
c2e930 |
+ . [ label "Settings" . match_entry+ ]
|
|
|
c2e930 |
+ ]
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let lns = (entry | comment | empty)* . match*
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+(* Local Variables: *)
|
|
|
c2e930 |
+(* mode: caml *)
|
|
|
c2e930 |
+(* End: *)
|
|
|
c2e930 |
diff --git a/lenses/tests/test_sshd.aug b/lenses/tests/test_sshd.aug
|
|
|
c55e75 |
index 5954e16f..788a12f0 100644
|
|
|
c2e930 |
--- a/lenses/tests/test_sshd.aug
|
|
|
c2e930 |
+++ b/lenses/tests/test_sshd.aug
|
|
|
c2e930 |
@@ -1,4 +1,3 @@
|
|
|
c2e930 |
-(* Module: Test_sshd *)
|
|
|
c2e930 |
module Test_sshd =
|
|
|
c2e930 |
|
|
|
c2e930 |
let accept_env = "Protocol 2
|
|
|
c2e930 |
@@ -75,61 +74,6 @@ Match User sarko Group pres.*
|
|
|
c2e930 |
Match User bush Group pres.* Host white.house.*
|
|
|
c2e930 |
Banner /etc/welcome.txt\n"
|
|
|
c2e930 |
|
|
|
c2e930 |
-(* Test: Sshd.lns
|
|
|
c2e930 |
- Indent when adding to a Match group *)
|
|
|
c2e930 |
- test Sshd.lns put match_blocks after
|
|
|
c2e930 |
- set "Match[1]/Settings/PermitRootLogin" "yes";
|
|
|
c2e930 |
- set "Match[1]/Settings/#comment" "a comment" =
|
|
|
c2e930 |
-"X11Forwarding yes
|
|
|
c2e930 |
-Match User sarko Group pres.*
|
|
|
c2e930 |
- Banner /etc/bienvenue.txt
|
|
|
c2e930 |
- X11Forwarding no
|
|
|
c2e930 |
- PermitRootLogin yes
|
|
|
c2e930 |
- # a comment
|
|
|
c2e930 |
-Match User bush Group pres.* Host white.house.*
|
|
|
c2e930 |
-Banner /etc/welcome.txt\n"
|
|
|
c2e930 |
-
|
|
|
c2e930 |
-
|
|
|
c2e930 |
-(* Test: Sshd.lns
|
|
|
c2e930 |
- Parse Ciphers and KexAlgorithms as lists (GH issue #69) *)
|
|
|
c2e930 |
-test Sshd.lns get "Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
|
|
|
c2e930 |
-KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1\n" =
|
|
|
c2e930 |
- { "Ciphers"
|
|
|
c2e930 |
- { "1" = "aes256-gcm@openssh.com" }
|
|
|
c2e930 |
- { "2" = "aes128-gcm@openssh.com" }
|
|
|
c2e930 |
- { "3" = "aes256-ctr" }
|
|
|
c2e930 |
- { "4" = "aes128-ctr" }
|
|
|
c2e930 |
- }
|
|
|
c2e930 |
- { "KexAlgorithms"
|
|
|
c2e930 |
- { "1" = "diffie-hellman-group-exchange-sha256" }
|
|
|
c2e930 |
- { "2" = "diffie-hellman-group14-sha1" }
|
|
|
c2e930 |
- { "3" = "diffie-hellman-group-exchange-sha1" }
|
|
|
c2e930 |
- }
|
|
|
c2e930 |
-
|
|
|
c2e930 |
-(* Test: Sshd.lns
|
|
|
c2e930 |
- Keys are case-insensitive *)
|
|
|
c2e930 |
-test Sshd.lns get "ciPheRs aes256-gcm@openssh.com,aes128-ctr
|
|
|
c2e930 |
-maTcH User foo
|
|
|
c2e930 |
- x11forwarding no\n" =
|
|
|
c2e930 |
- { "ciPheRs"
|
|
|
c2e930 |
- { "1" = "aes256-gcm@openssh.com" }
|
|
|
c2e930 |
- { "2" = "aes128-ctr" }
|
|
|
c2e930 |
- }
|
|
|
c2e930 |
- { "maTcH"
|
|
|
c2e930 |
- { "Condition"
|
|
|
c2e930 |
- { "User" = "foo" }
|
|
|
c2e930 |
- }
|
|
|
c2e930 |
- { "Settings"
|
|
|
c2e930 |
- { "x11forwarding" = "no" }
|
|
|
c2e930 |
- }
|
|
|
c2e930 |
- }
|
|
|
c2e930 |
-
|
|
|
c2e930 |
-(* Test: Sshd.lns
|
|
|
c2e930 |
- Allow AllowGroups in Match groups (GH issue #75) *)
|
|
|
c2e930 |
-test Sshd.lns get "Match User foo
|
|
|
c2e930 |
-AllowGroups users\n" =
|
|
|
c2e930 |
- { "Match" { "Condition" { "User" = "foo" } }
|
|
|
c2e930 |
- { "Settings" { "AllowGroups" { "1" = "users" } } } }
|
|
|
c2e930 |
|
|
|
c2e930 |
(* Local Variables: *)
|
|
|
c2e930 |
(* mode: caml *)
|
|
|
c2e930 |
diff --git a/lenses/tests/test_sshd_140.aug b/lenses/tests/test_sshd_140.aug
|
|
|
c2e930 |
new file mode 100644
|
|
|
c55e75 |
index 00000000..056c53f9
|
|
|
c2e930 |
--- /dev/null
|
|
|
c2e930 |
+++ b/lenses/tests/test_sshd_140.aug
|
|
|
c2e930 |
@@ -0,0 +1,136 @@
|
|
|
c2e930 |
+(* Module: Test_sshd_140 *)
|
|
|
c2e930 |
+module Test_sshd_140 =
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let accept_env = "Protocol 2
|
|
|
c2e930 |
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
|
c2e930 |
+AcceptEnv LC_IDENTIFICATION LC_ALL\n"
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ test Sshd_140.lns get accept_env =
|
|
|
c2e930 |
+ { "Protocol" = "2" }
|
|
|
c2e930 |
+ { "AcceptEnv"
|
|
|
c2e930 |
+ { "1" = "LC_PAPER" }
|
|
|
c2e930 |
+ { "2" = "LC_NAME" }
|
|
|
c2e930 |
+ { "3" = "LC_ADDRESS" }
|
|
|
c2e930 |
+ { "4" = "LC_TELEPHONE" }
|
|
|
c2e930 |
+ { "5" = "LC_MEASUREMENT" } }
|
|
|
c2e930 |
+ { "AcceptEnv"
|
|
|
c2e930 |
+ { "6" = "LC_IDENTIFICATION" }
|
|
|
c2e930 |
+ { "7" = "LC_ALL" } }
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ test Sshd_140.lns get "HostKey /etc/ssh/ssh_host_rsa_key
|
|
|
c2e930 |
+HostKey /etc/ssh/ssh_host_dsa_key\n" =
|
|
|
c2e930 |
+ { "HostKey" = "/etc/ssh/ssh_host_rsa_key" }
|
|
|
c2e930 |
+ { "HostKey" = "/etc/ssh/ssh_host_dsa_key" }
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ test Sshd_140.lns put accept_env after
|
|
|
c2e930 |
+ rm "AcceptEnv";
|
|
|
c2e930 |
+ rm "AcceptEnv";
|
|
|
c2e930 |
+ set "Protocol" "1.5";
|
|
|
c2e930 |
+ set "X11Forwarding" "yes"
|
|
|
c2e930 |
+ = "Protocol 1.5\nX11Forwarding yes\n"
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ test Sshd_140.lns get "AuthorizedKeysFile %h/.ssh/authorized_keys\n" =
|
|
|
c2e930 |
+ { "AuthorizedKeysFile" = "%h/.ssh/authorized_keys" }
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ test Sshd_140.lns get "Subsystem sftp /usr/lib/openssh/sftp-server\n" =
|
|
|
c2e930 |
+ { "Subsystem"
|
|
|
c2e930 |
+ { "sftp" = "/usr/lib/openssh/sftp-server" } }
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ test Sshd_140.lns get "Subsystem sftp-test /usr/lib/openssh/sftp-server\n" =
|
|
|
c2e930 |
+ { "Subsystem"
|
|
|
c2e930 |
+ { "sftp-test" = "/usr/lib/openssh/sftp-server" } }
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ let match_blocks = "X11Forwarding yes
|
|
|
c2e930 |
+Match User sarko Group pres.*
|
|
|
c2e930 |
+ Banner /etc/bienvenue.txt
|
|
|
c2e930 |
+ X11Forwarding no
|
|
|
c2e930 |
+Match User bush Group pres.* Host white.house.*
|
|
|
c2e930 |
+Banner /etc/welcome.txt
|
|
|
c2e930 |
+"
|
|
|
c2e930 |
+ test Sshd_140.lns get match_blocks =
|
|
|
c2e930 |
+ { "X11Forwarding" = "yes"}
|
|
|
c2e930 |
+ { "Match"
|
|
|
c2e930 |
+ { "Condition" { "User" = "sarko" }
|
|
|
c2e930 |
+ { "Group" = "pres.*" } }
|
|
|
c2e930 |
+ { "Settings" { "Banner" = "/etc/bienvenue.txt" }
|
|
|
c2e930 |
+ { "X11Forwarding" = "no" } } }
|
|
|
c2e930 |
+ { "Match"
|
|
|
c2e930 |
+ { "Condition" { "User" = "bush" }
|
|
|
c2e930 |
+ { "Group" = "pres.*" }
|
|
|
c2e930 |
+ { "Host" = "white.house.*" } }
|
|
|
c2e930 |
+ { "Settings" { "Banner" = "/etc/welcome.txt" } } }
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+ test Sshd_140.lns put match_blocks after
|
|
|
c2e930 |
+ insb "Subsystem" "/Match[1]";
|
|
|
c2e930 |
+ set "/Subsystem/sftp" "/usr/libexec/openssh/sftp-server"
|
|
|
c2e930 |
+ = "X11Forwarding yes
|
|
|
c2e930 |
+Subsystem sftp /usr/libexec/openssh/sftp-server
|
|
|
c2e930 |
+Match User sarko Group pres.*
|
|
|
c2e930 |
+ Banner /etc/bienvenue.txt
|
|
|
c2e930 |
+ X11Forwarding no
|
|
|
c2e930 |
+Match User bush Group pres.* Host white.house.*
|
|
|
c2e930 |
+Banner /etc/welcome.txt\n"
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+(* Test: Sshd_140.lns
|
|
|
c2e930 |
+ Indent when adding to a Match group *)
|
|
|
c2e930 |
+ test Sshd_140.lns put match_blocks after
|
|
|
c2e930 |
+ set "Match[1]/Settings/PermitRootLogin" "yes";
|
|
|
c2e930 |
+ set "Match[1]/Settings/#comment" "a comment" =
|
|
|
c2e930 |
+"X11Forwarding yes
|
|
|
c2e930 |
+Match User sarko Group pres.*
|
|
|
c2e930 |
+ Banner /etc/bienvenue.txt
|
|
|
c2e930 |
+ X11Forwarding no
|
|
|
c2e930 |
+ PermitRootLogin yes
|
|
|
c2e930 |
+ # a comment
|
|
|
c2e930 |
+Match User bush Group pres.* Host white.house.*
|
|
|
c2e930 |
+Banner /etc/welcome.txt\n"
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+(* Test: Sshd_140.lns
|
|
|
c2e930 |
+ Parse Ciphers and KexAlgorithms as lists (GH issue #69) *)
|
|
|
c2e930 |
+test Sshd_140.lns get "Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
|
|
|
c2e930 |
+KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1\n" =
|
|
|
c2e930 |
+ { "Ciphers"
|
|
|
c2e930 |
+ { "1" = "aes256-gcm@openssh.com" }
|
|
|
c2e930 |
+ { "2" = "aes128-gcm@openssh.com" }
|
|
|
c2e930 |
+ { "3" = "aes256-ctr" }
|
|
|
c2e930 |
+ { "4" = "aes128-ctr" }
|
|
|
c2e930 |
+ }
|
|
|
c2e930 |
+ { "KexAlgorithms"
|
|
|
c2e930 |
+ { "1" = "diffie-hellman-group-exchange-sha256" }
|
|
|
c2e930 |
+ { "2" = "diffie-hellman-group14-sha1" }
|
|
|
c2e930 |
+ { "3" = "diffie-hellman-group-exchange-sha1" }
|
|
|
c2e930 |
+ }
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+(* Test: Sshd_140.lns
|
|
|
c2e930 |
+ Keys are case-insensitive *)
|
|
|
c2e930 |
+test Sshd_140.lns get "ciPheRs aes256-gcm@openssh.com,aes128-ctr
|
|
|
c2e930 |
+maTcH User foo
|
|
|
c2e930 |
+ x11forwarding no\n" =
|
|
|
c2e930 |
+ { "ciPheRs"
|
|
|
c2e930 |
+ { "1" = "aes256-gcm@openssh.com" }
|
|
|
c2e930 |
+ { "2" = "aes128-ctr" }
|
|
|
c2e930 |
+ }
|
|
|
c2e930 |
+ { "maTcH"
|
|
|
c2e930 |
+ { "Condition"
|
|
|
c2e930 |
+ { "User" = "foo" }
|
|
|
c2e930 |
+ }
|
|
|
c2e930 |
+ { "Settings"
|
|
|
c2e930 |
+ { "x11forwarding" = "no" }
|
|
|
c2e930 |
+ }
|
|
|
c2e930 |
+ }
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+(* Test: Sshd_140.lns
|
|
|
c2e930 |
+ Allow AllowGroups in Match groups (GH issue #75) *)
|
|
|
c2e930 |
+test Sshd_140.lns get "Match User foo
|
|
|
c2e930 |
+AllowGroups users\n" =
|
|
|
c2e930 |
+ { "Match" { "Condition" { "User" = "foo" } }
|
|
|
c2e930 |
+ { "Settings" { "AllowGroups" { "1" = "users" } } } }
|
|
|
c2e930 |
+
|
|
|
c2e930 |
+(* Local Variables: *)
|
|
|
c2e930 |
+(* mode: caml *)
|
|
|
c2e930 |
+(* End: *)
|
|
|
c2e930 |
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
|
|
c55e75 |
index b4563540..387ac7d2 100644
|
|
|
c2e930 |
--- a/tests/Makefile.am
|
|
|
c2e930 |
+++ b/tests/Makefile.am
|
|
|
c2e930 |
@@ -189,6 +189,7 @@ lens_tests = \
|
|
|
c2e930 |
lens-squid.sh \
|
|
|
c2e930 |
lens-ssh.sh \
|
|
|
c2e930 |
lens-sshd.sh \
|
|
|
c2e930 |
+ lens-sshd_140.sh \
|
|
|
c2e930 |
lens-sssd.sh \
|
|
|
c2e930 |
lens-stunnel.sh \
|
|
|
c2e930 |
lens-subversion.sh \
|
|
|
c55e75 |
--
|
|
|
c55e75 |
2.13.5
|
|
|
c55e75 |
|