[config-model-users] [augeas-devel] Re: Semantic problem in augeas sshd lens ?

[Dominique Dumont]

Hello

David Lutterkort <dlutter at redhat.com> writes:

>>  $ config-edit -model Sshd  Subsystem:sftp=/usr/lib/openssh/sftp-server \
>>    Subsystem:internal-sftp=/usr/lib/openssh/sftp-server
>> 
>> But that's also another problem ;-)
>
> I agree that that schema would make more sense in this case - I'd
> appreciate if somebody would work up a patch for sshd.aug, otherwise
> I'll try and do it some time next week.

ok, let's do it.

First I'd like to nail down correctly the expected results. The
Subsystem is not the only area which could be improved. The Match
keyword for instance defines a sub-tree structure:

 Match Introduces a conditional block.  If all of the criteria on the
         Match line are satisfied, the keywords on the following lines
         override those set in the global section of the config file,
         until either another Match line or the end of the file.

So here's what I suggest to test sshd lens. This test case (mostly
taken from Config::Model::OpenSsh) defines one Subsystem and 2 Match
blocks.

Please review the expected tree structure.

Once we agree on the expected structure, I'll modify sshd lense
according to the test case.

All the best

PS: Do not apply this patch

diff -r 09dcb70fa724 lenses/tests/test_sshd.aug
--- a/lenses/tests/test_sshd.aug	Thu Aug 28 21:38:11 2008 -0700
+++ b/lenses/tests/test_sshd.aug	Mon Sep 01 13:57:14 2008 +0200
@@ -1,5 +1,43 @@
 module Test_sshd =
-  let accept_env = "Protocol 2\nAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT \nAcceptEnv LC_IDENTIFICATION LC_ALL\n"
+  let accept_env = "Protocol 2
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL
+Port 22
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+UsePrivilegeSeparation yes
+KeyRegenerationInterval 3600
+serverkeybits 768
+SyslogFacility AUTH
+LogLevel INFO
+LoginGraceTime 120
+PermitRootLogin yes
+StriCTMODES yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+AuthorizedKeysFile	%h/.ssh/authorized_keys
+IgnoreRhosts yes
+RhostsRSAAuthentication no
+HostbasedAuthentication no
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+MaxStartups 10:30:60
+Subsystem sftp /usr/lib/openssh/sftp-server
+UsePAM yes
+AllowUsers foo bar at 192.168.0.*
+ClientAliveCountMax 5
+ClientAliveInterval 300 
+Match User sarko Group pres.* 
+Banner /etc/bienvenue.txt
+X11Forwarding no
+Match User bush Group pres.* Host white.house.*
+Banner /etc/welcome.txt
+"
 
   test Sshd.lns get accept_env =
     { "Protocol" = "2" }
@@ -12,6 +50,54 @@
      { "AcceptEnv"
         { "6" = "LC_IDENTIFICATION" }
         { "7" = "LC_ALL" } }
+     { "Port" = "22" }	 
+     { "HostKey" 
+        { "1" = "/etc/ssh/ssh_host_rsa_key" }
+	{ "2" = "/etc/ssh/ssh_host_dsa_key" } }
+     { "UsePrivilegeSeparation" = "yes"  }
+     { "KeyRegenerationInterval" = "3600" }
+     { "serverkeybits" = "768" }
+     { "SyslogFacility" = "AUTH" }
+     { "LogLevel" = "INFO" }
+     { "LoginGraceTime" = "120" }
+     { "PermitRootLogin" = "yes" }
+     { "StriCTMODES" = "yes" }
+     { "RSAAuthentication" = "yes" }
+     { "PubkeyAuthentication" = "yes" }
+     { "AuthorizedKeysFile" = "%h/.ssh/authorized_keys" }
+     { "IgnoreRhosts" = "yes"}
+     { "RhostsRSAAuthentication" = "no"}
+     { "HostbasedAuthentication" = "no"}
+     { "PermitEmptyPasswords" = "no"}
+     { "ChallengeResponseAuthentication" = "no"}
+     { "X11Forwarding" = "yes"}
+     { "X11DisplayOffset" = "10" }
+     { "PrintMotd" = "no"}
+     { "PrintLastLog" = "yes"}
+     { "TCPKeepAlive" = "yes"}
+     { "MaxStartups" = "10:30:60"}
+     { "Subsystem" 
+        { "sftp" = "/usr/lib/openssh/sftp-server" } }
+     { "UsePAM" = "yes"}
+     { "AllowUsers"
+       { "1" = "foo" }
+       { "2" = "bar at 192.168.0.*" } }
+     { "ClientAliveCountMax" = "5"}
+     { "ClientAliveInterval" = "300"}
+     { "Match"
+       { "1"
+          { "User" = "sarko" }
+          { "Group" = "pres.*" } 
+	  { "Elements"
+            { "Banner" = "/etc/bienvenue.txt" }
+	    { "X11Forwarding" = "no" } } }
+       { "2"
+          { "User" = "bush" }
+          { "Group" = "pres.*" } 
+	  { "Host"  = "white.house.*" }
+	  { "Elements"
+            { "Banner" = "/etc/welcome.txt" } } } }
+
 
   test Sshd.lns put accept_env after
       rm "AcceptEnv";


-- 
Dominique Dumont 
"Delivering successful solutions requires giving people what they
need, not what they want." Kurt Bittner