Xavier, The point is -- in general, augeas barfs whenever there's a Match block. With the lens file that ships with augtool. (This is documented in the lens file.)
That's a problem for a general-purpose parsing of a sshd_config file, when you don't know a priori whether the sshd_config file has a Match block or not. Yes, there are some exotic edge cases in which augeas can tolerate Match blocks. I've found 1-2 myself. But in the main, the lens file doesn't tolerate Match blocks. I was proposing a miniscule restriction to the sshd_config syntax that should allow the lens file to be embellished to handle Match blocks. Spike On Fri, Apr 23, 2021 at 2:06 AM Mol, Xavier (SCC) <[email protected]> wrote: > Hi Spike, > > > > I don’t know your use case, but wouldn’t it be easier to tell Augeas to > add UsePrivilegeSeparation before the first Match block? > > > > augtool> ins UsePrivilegeSeparation before /files/etc/ssh/sshd_config > /Match[1] > > augtool> set /files/etc/ssh/sshd_config/UsePrivilegeSeparation yes > > > > Of course, this doesn’t work out anymore when you are not sure > UsePrivilegeSeparation wasn’t set before already. sshd_config will be > correct anyway, but this approach would add another ‘ > UsePrivilegeSeparation = yes’ line every time. > > > > Ciao, > > Xavier. > > > > *Von:* [email protected] <[email protected]> *Im > Auftrag von *Spike White > *Gesendet:* Donnerstag, 22. April 2021 20:00 > *An:* [email protected] > *Betreff:* [augeas-devel] Partial answer to augeas not being able to > parse / deal with sshd_config Match blocks... > > > > Augeas people, > > > > augeas has a problem dealing with Match blocks in /etc/ssh/sshd_config. > It's even documented in the notes in the lens file for that file. > > > > I know that a general purpose parsing of a Match block in augeas is a > problem. I've tried. The problem is that augeas by default appends new > lines (where they're missing in original file) to the end of the file. > > > > Thus if you have an existing Match block at the end of the sshd_config > file such as: > > > > Match User servicepptprdvra > MaxSessions 999 > ClientAliveInterval 360 > ClientAliveCountMax 3 > > > > and you want augeaus to add UsePrivilegeSeparation yes as so: > > > > Match User servicepptprdvra > MaxSessions 999 > ClientAliveInterval 360 > ClientAliveCountMax 3 > > UsePrivilegeSeparation yes > > > > then this UsePrivilegeSeparation will not apply to all users & hosts (as > desired), but only to the user specified in the Match block condition. > > > > In a nutshell, I think that's the problem with augeas dealing with a Match > block. > > > > Is this a partial solution?: > > > > If you restrict augeas so that every match block it writes and every Match > block it parses ends with a line: > > > > Match All > > > > to close an existing Match block, That is if you have this: > > > > Match User servicepptprdvra > MaxSessions 999 > ClientAliveInterval 360 > ClientAliveCountMax 3 > > Match All > > > > and you want augeaus to add UsePrivilegeSeparation yes as so: > > > > Match User servicepptprdvra > > MaxSessions 999 > ClientAliveInterval 360 > ClientAliveCountMax 3 > > Match All > > UsePrivilegeSeparation yes > > > > Then this UsePrivilegeSeparation will be applied to all users & hosts, > as desired. > > > > This is a small restriction on the sshd_config syntax when using augeas, > but not egregiously so. > > > > Spike White > > >
_______________________________________________ augeas-devel mailing list [email protected] https://listman.redhat.com/mailman/listinfo/augeas-devel
