[augeas-devel] augeas against sshd_config failing with Match blocks...

Fri, 11 Sep 2020 14:57:11 -0700 

Augeas aficionados,



I've been using augeas for years.  Both with puppet and stand-alone.



Also, I’ve been using Augeas to manipulate /etc/ssh/sshd_config file for
years.  Now with the advent of Match blocks in the sshd_config files, I'm
having challenges.



David Lutterkort calls out this exact problem in the sshd.aug lens file:




*About: CAVEATS *
  In sshd_config, Match blocks must be located at the end of the file.
  This means that any new "global" parameters (i.e. outside of a Match
  block) must be written before the first Match block. By default,
  Augeas will write new parameters at the end of the file.

  I.e. if you have a Match section and no ChrootDirectory parameter,
  this command:

     > set /files/etc/ssh/sshd_config/ChrootDirectory "foo"

  will be stored in a new node after the Match section and Augeas will
  refuse to save sshd_config file.

  To create a new parameter as the right place, you must first create
  a new Augeas node before the Match section:

     > ins ChrootDirectory before /files/etc/ssh/sshd_config/Match

  Then, you can set the parameter

     > set /files/etc/ssh/sshd_config/ChrootDirectory "foo"







So I understand what this lens author is saying.  Here's my augeas code,
doing basic SSH hardening (per CIS recommendations):



defnode sshd /files/etc/ssh/sshd_config
set $sshd/PermitRootLogin no
set $sshd/UsePrivilegeSeparation sandbox
set $sshd/Ciphers/1 aes128-ctr
…

save



This code works great -- if no Match blocks in the sshd_config file.



A particular server needs these Match blocks:



Match User ServicePPTDEVVRA
  MaxSessions 250
Match User ServicePPTDEVDCA
  MaxSessions 250



Let's take 'PermitRootLogin' line as an example.  If I know there's no
PermitRootLogin line,



I should be able to do this:



defnode sshd /files/etc/ssh/sshd_config
ins $sshd/PermitRootLogin before $sshd/Match
set $sshd/PermitRootLogin no

save



or possibly this:



defnode sshd /files/etc/ssh/sshd_config
ins $sshd/PermitRootLogin before $sshd/Match[1]
set $sshd/PermitRootLogin no

save



But how do I know to issue this 'ins' command or not?  (How do I know if
there's a pre-existing PermitRootLogin line or not?).  If I issue a 'ins'
command and there's an existing PermitRootLogin file, it will error out I
believe.



Need your assistance to re-code my augeas code, to handle the case where
Match blocks exist.

_______________________________________________
augeas-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/augeas-devel

Reply via email to