Hi Spike, I don’t know your use case, but wouldn’t it be easier to tell Augeas to add UsePrivilegeSeparation before the first Match block? augtool> ins UsePrivilegeSeparation before /files/etc/ssh/sshd_config/Match[1] augtool> set /files/etc/ssh/sshd_config/UsePrivilegeSeparation yes Of course, this doesn’t work out anymore when you are not sure UsePrivilegeSeparation wasn’t set before already. sshd_config will be correct anyway, but this approach would add another ‘UsePrivilegeSeparation = yes’ line every time. Ciao, Xavier. Von: [email protected] <[email protected]> Im Auftrag von Spike White Gesendet: Donnerstag, 22. April 2021 20:00 An: [email protected] Betreff: [augeas-devel] Partial answer to augeas not being able to parse / deal with sshd_config Match blocks... Augeas people, augeas has a problem dealing with Match blocks in /etc/ssh/sshd_config. It's even documented in the notes in the lens file for that file. I know that a general purpose parsing of a Match block in augeas is a problem. I've tried. The problem is that augeas by default appends new lines (where they're missing in original file) to the end of the file. Thus if you have an existing Match block at the end of the sshd_config file such as: Match User servicepptprdvra MaxSessions 999 ClientAliveInterval 360 ClientAliveCountMax 3 and you want augeaus to add UsePrivilegeSeparation yes as so: Match User servicepptprdvra MaxSessions 999 ClientAliveInterval 360 ClientAliveCountMax 3 UsePrivilegeSeparation yes then this UsePrivilegeSeparation will not apply to all users & hosts (as desired), but only to the user specified in the Match block condition. In a nutshell, I think that's the problem with augeas dealing with a Match block. Is this a partial solution?: If you restrict augeas so that every match block it writes and every Match block it parses ends with a line: Match All to close an existing Match block, That is if you have this: Match User servicepptprdvra MaxSessions 999 ClientAliveInterval 360 ClientAliveCountMax 3 Match All and you want augeaus to add UsePrivilegeSeparation yes as so: Match User servicepptprdvra MaxSessions 999 ClientAliveInterval 360 ClientAliveCountMax 3 Match All UsePrivilegeSeparation yes Then this UsePrivilegeSeparation will be applied to all users & hosts, as desired. This is a small restriction on the sshd_config syntax when using augeas, but not egregiously so. Spike White
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ augeas-devel mailing list [email protected] https://listman.redhat.com/mailman/listinfo/augeas-devel
