sshd_config lens patch (was: [config-model-users] [augeas-devel] Re: Semantic problem in augeas sshd lens ?)

Dominique Dumont dominique.dumont at hp.com
Mon Sep 8 16:36:36 UTC 2008 

David Lutterkort <lutter at redhat.com> writes:

>> I'm somewhat reluctant to mix Augeas defined keyword with OpenSSH
>> keywords at the same structural level. How about :
>> 
>>      { "Match"
>>        { "Condition" { "User" = "sarko" }}
>>        { "Condition" { "Group" = "pres.*" }}
>>        { "Payload"   { "Banner" = "/etc/bienvenue.txt" }
>>                      { "X11Forwarding" = "no" } 
>>                      }
>> 
>> Then, the effect of the Match'ed condition are explicit in the Payload
>> lens.
>
> Can we call that 'Settings' or similar ? Though I quite liked the
> '.Condition', especially since I came up with it ;)

I'm fine with "Settings".

Here's the first attempt for a better sshd lens. 

All the best

diff -r 09dcb70fa724 lenses/sshd.aug
--- a/lenses/sshd.aug	Thu Aug 28 21:38:11 2008 -0700
+++ b/lenses/sshd.aug	Mon Sep 08 18:33:42 2008 +0200
@@ -7,7 +7,7 @@
    let sep = Util.del_ws_spc
 
    let key_re = /[A-Za-z0-9]+/ 
-         - /MACs|Match|AcceptEnv|(Allow|Deny)(Groups|Users)/
+         - /MACs|Match|AcceptEnv|Subsystem|(Allow|Deny)(Groups|Users)/
 
    let comment = [ del /(#.*|[ \t]*)\n/ "\n" ]
 
@@ -26,6 +26,14 @@
    let deny_groups = array_entry "DenyGroups"
    let deny_users = array_entry "DenyUsers"
 
+   let subsystemvalue = 
+     let value = store  /[^ \t\n]+/ in
+     [ key /[A-Za-z0-9]+/ . sep . value . eol ]  
+
+   let subsystem = 
+     let value = store  /[^ \t\n]+([ \t]+[^ \t\n]+)*/ in
+     [ key "Subsystem" .  sep .  subsystemvalue ]  
+
    let macs =
      let mac_value = store /[^, \t\n]+/ in
      [ key "MACs" . sep .
@@ -33,17 +41,21 @@
          ([ seq "macs" . Util.del_str "," . mac_value])* .
          eol ]
 
+   let match_cond = 
+     [ label "Condition" . sep . [ key /[A-Za-z0-9]+/ . sep . 
+                             store /[^ \t\n]+/ ] ]
+
+   let match_entry = 
+     ( comment | other_entry )
+
    let match =
-     let value = store /[^ \t\n]+([ \t]+[^ \t\n]+)*/ in
-     [ key "Match" . sep .
-         [ seq "match" .
-             [ label "cond" . value . eol ] .
-             (sep . other_entry) *
-         ]
+     [ key "Match" . match_cond+ . del / */ "" . del "\n" "\n"
+        . [ label "Settings" .  match_entry+ ]
      ]
 
   let lns = (comment | accept_env | allow_groups | allow_users
-          | deny_groups | deny_users | macs | match | other_entry ) *
+          | deny_groups | subsystem | deny_users | macs 
+          | other_entry ) * . match*
 
   let xfm = transform lns (incl "/etc/ssh/sshd_config")
 
diff -r 09dcb70fa724 lenses/tests/test_sshd.aug
--- a/lenses/tests/test_sshd.aug	Thu Aug 28 21:38:11 2008 -0700
+++ b/lenses/tests/test_sshd.aug	Mon Sep 08 18:33:42 2008 +0200
@@ -1,5 +1,8 @@
 module Test_sshd =
-  let accept_env = "Protocol 2\nAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT \nAcceptEnv LC_IDENTIFICATION LC_ALL\n"
+
+  let accept_env = "Protocol 2
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL\n"
 
   test Sshd.lns get accept_env =
     { "Protocol" = "2" }
@@ -9,9 +12,16 @@
         { "3" = "LC_ADDRESS" }
         { "4" = "LC_TELEPHONE" }
         { "5" = "LC_MEASUREMENT" } }
-     { "AcceptEnv"
+    { "AcceptEnv"
         { "6" = "LC_IDENTIFICATION" }
         { "7" = "LC_ALL" } }
+
+
+  test Sshd.lns get "HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key\n" =
+    { "HostKey" = "/etc/ssh/ssh_host_rsa_key" }
+    { "HostKey" = "/etc/ssh/ssh_host_dsa_key" }
+
 
   test Sshd.lns put accept_env after
       rm "AcceptEnv";
@@ -20,6 +30,37 @@
       set "X11Forwarding" "yes"
    = "Protocol 1.5\nX11Forwarding yes\n"
 
+  test Sshd.lns get "AuthorizedKeysFile  %h/.ssh/authorized_keys\n" =
+    { "AuthorizedKeysFile" = "%h/.ssh/authorized_keys" }
+
+  test Sshd.lns get "Subsystem sftp /usr/lib/openssh/sftp-server\n" =
+    { "Subsystem" 
+	{ "sftp" = "/usr/lib/openssh/sftp-server" } }
+
+
+
+  let match_blocks = "X11Forwarding yes
+Match User sarko Group pres.*
+Banner /etc/bienvenue.txt
+X11Forwarding no
+Match User bush Group pres.* Host white.house.*
+Banner /etc/welcome.txt
+"
+  test Sshd.lns get match_blocks =
+    { "X11Forwarding" = "yes"}
+      { "Match"
+	  { "Condition" { "User" = "sarko"   } }
+	  { "Condition" { "Group" = "pres.*" } }
+	  { "Settings"  { "Banner" = "/etc/bienvenue.txt" }
+       	                { "X11Forwarding" = "no" } } }
+      { "Match"
+	  { "Condition" { "User" = "bush"    } }
+	  { "Condition" { "Group" = "pres.*" } }
+	  { "Condition" { "Host"  = "white.house.*" } }
+	  { "Settings"  { "Banner" = "/etc/welcome.txt" } } }
+
+
+
 (* Local Variables: *)
 (* mode: caml       *)
 (* End:             *)

-- 
Dominique Dumont 
"Delivering successful solutions requires giving people what they
need, not what they want." Kurt Bittner

More information about the augeas-devel mailing list