Hi Spike.
> The point is -- in general, augeas barfs whenever there's a Match block.
> With the lens file that ships with augtool. (This is documented in the lens
> file.)
What version of Augeas are you using? My version, 1.8.1 has a different
documentation in the lens file:
“””
About: CAVEATS
In sshd_config, Match blocks must be located at the end of the file.
This means that any new "global" parameters (i.e. outside of a Match
block) must be written before the first Match block. By default,
Augeas will write new parameters at the end of the file.
I.e. if you have a Match section and no ChrootDirectory parameter,
this command:
> set /files/etc/ssh/sshd_config/ChrootDirectory "foo"
will be stored in a new node after the Match section and Augeas will
refuse to save sshd_config file.
To create a new parameter as the right place, you must first create
a new Augeas node before the Match section:
> ins ChrootDirectory before /files/etc/ssh/sshd_config/Match
Then, you can set the parameter
> set /files/etc/ssh/sshd_config/ChrootDirectory "foo"
“””
No mention of a general problem that the lens could not handle, except for
ensuring that all Match blocks are positioned at the end of the file. And, as
Dan said, there are tools to handle such situations easier. In our case, we
also have Puppet to manage (open-)ssh, though we employ basic erb-templates,
which don’t have the same pitfalls as Augeas.
Ciao,
Xavier.
Von: Spike White <[email protected]>
Gesendet: Samstag, 24. April 2021 21:30
An: Mol, Xavier (SCC) <[email protected]>
Cc: [email protected]
Betreff: Re: [augeas-devel] Partial answer to augeas not being able to parse /
deal with sshd_config Match blocks...
Xavier,
The point is -- in general, augeas barfs whenever there's a Match block. With
the lens file that ships with augtool. (This is documented in the lens file.)
That's a problem for a general-purpose parsing of a sshd_config file, when you
don't know a priori whether the sshd_config file has a Match block or not.
Yes, there are some exotic edge cases in which augeas can tolerate Match
blocks. I've found 1-2 myself. But in the main, the lens file doesn't
tolerate Match blocks.
I was proposing a miniscule restriction to the sshd_config syntax that should
allow the lens file to be embellished to handle Match blocks.
Spike
On Fri, Apr 23, 2021 at 2:06 AM Mol, Xavier (SCC) <[email protected]
<mailto:[email protected]> > wrote:
Hi Spike,
I don’t know your use case, but wouldn’t it be easier to tell Augeas to add
UsePrivilegeSeparation before the first Match block?
augtool> ins UsePrivilegeSeparation before /files/etc/ssh/sshd_config/Match[1]
augtool> set /files/etc/ssh/sshd_config/UsePrivilegeSeparation yes
Of course, this doesn’t work out anymore when you are not sure
UsePrivilegeSeparation wasn’t set before already. sshd_config will be correct
anyway, but this approach would add another ‘UsePrivilegeSeparation = yes’ line
every time.
Ciao,
Xavier.
Von: [email protected] <mailto:[email protected]>
<[email protected] <mailto:[email protected]> > Im
Auftrag von Spike White
Gesendet: Donnerstag, 22. April 2021 20:00
An: [email protected] <mailto:[email protected]>
Betreff: [augeas-devel] Partial answer to augeas not being able to parse / deal
with sshd_config Match blocks...
Augeas people,
augeas has a problem dealing with Match blocks in /etc/ssh/sshd_config. It's
even documented in the notes in the lens file for that file.
I know that a general purpose parsing of a Match block in augeas is a problem.
I've tried. The problem is that augeas by default appends new lines (where
they're missing in original file) to the end of the file.
Thus if you have an existing Match block at the end of the sshd_config file
such as:
Match User servicepptprdvra
MaxSessions 999
ClientAliveInterval 360
ClientAliveCountMax 3
and you want augeaus to add UsePrivilegeSeparation yes as so:
Match User servicepptprdvra
MaxSessions 999
ClientAliveInterval 360
ClientAliveCountMax 3
UsePrivilegeSeparation yes
then this UsePrivilegeSeparation will not apply to all users & hosts (as
desired), but only to the user specified in the Match block condition.
In a nutshell, I think that's the problem with augeas dealing with a Match
block.
Is this a partial solution?:
If you restrict augeas so that every match block it writes and every Match
block it parses ends with a line:
Match All
to close an existing Match block, That is if you have this:
Match User servicepptprdvra
MaxSessions 999
ClientAliveInterval 360
ClientAliveCountMax 3
Match All
and you want augeaus to add UsePrivilegeSeparation yes as so:
Match User servicepptprdvra
MaxSessions 999
ClientAliveInterval 360
ClientAliveCountMax 3
Match All
UsePrivilegeSeparation yes
Then this UsePrivilegeSeparation will be applied to all users & hosts, as
desired.
This is a small restriction on the sshd_config syntax when using augeas, but
not egregiously so.
Spike White
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ augeas-devel mailing list [email protected] https://listman.redhat.com/mailman/listinfo/augeas-devel
