[augeas-devel] Partial answer to augeas not being able to parse / deal with sshd_config Match blocks...
Spike White
spikewhitetx at gmail.com
Sat Apr 24 19:29:38 UTC 2021
Xavier,
The point is -- in general, augeas barfs whenever there's a Match block.
With the lens file that ships with augtool. (This is documented in the
lens file.)
That's a problem for a general-purpose parsing of a sshd_config file, when
you don't know a priori whether the sshd_config file has a Match block or
not.
Yes, there are some exotic edge cases in which augeas can tolerate Match
blocks. I've found 1-2 myself. But in the main, the lens file doesn't
tolerate Match blocks.
I was proposing a miniscule restriction to the sshd_config syntax that
should allow the lens file to be embellished to handle Match blocks.
Spike
On Fri, Apr 23, 2021 at 2:06 AM Mol, Xavier (SCC) <xavier.mol at kit.edu>
wrote:
> Hi Spike,
>
>
>
> I don’t know your use case, but wouldn’t it be easier to tell Augeas to
> add UsePrivilegeSeparation before the first Match block?
>
>
>
> augtool> ins UsePrivilegeSeparation before /files/etc/ssh/sshd_config
> /Match[1]
>
> augtool> set /files/etc/ssh/sshd_config/UsePrivilegeSeparation yes
>
>
>
> Of course, this doesn’t work out anymore when you are not sure
> UsePrivilegeSeparation wasn’t set before already. sshd_config will be
> correct anyway, but this approach would add another ‘
> UsePrivilegeSeparation = yes’ line every time.
>
>
>
> Ciao,
>
> Xavier.
>
>
>
> *Von:* augeas-devel-bounces at redhat.com <augeas-devel-bounces at redhat.com> *Im
> Auftrag von *Spike White
> *Gesendet:* Donnerstag, 22. April 2021 20:00
> *An:* augeas-devel at redhat.com
> *Betreff:* [augeas-devel] Partial answer to augeas not being able to
> parse / deal with sshd_config Match blocks...
>
>
>
> Augeas people,
>
>
>
> augeas has a problem dealing with Match blocks in /etc/ssh/sshd_config.
> It's even documented in the notes in the lens file for that file.
>
>
>
> I know that a general purpose parsing of a Match block in augeas is a
> problem. I've tried. The problem is that augeas by default appends new
> lines (where they're missing in original file) to the end of the file.
>
>
>
> Thus if you have an existing Match block at the end of the sshd_config
> file such as:
>
>
>
> Match User servicepptprdvra
> MaxSessions 999
> ClientAliveInterval 360
> ClientAliveCountMax 3
>
>
>
> and you want augeaus to add UsePrivilegeSeparation yes as so:
>
>
>
> Match User servicepptprdvra
> MaxSessions 999
> ClientAliveInterval 360
> ClientAliveCountMax 3
>
> UsePrivilegeSeparation yes
>
>
>
> then this UsePrivilegeSeparation will not apply to all users & hosts (as
> desired), but only to the user specified in the Match block condition.
>
>
>
> In a nutshell, I think that's the problem with augeas dealing with a Match
> block.
>
>
>
> Is this a partial solution?:
>
>
>
> If you restrict augeas so that every match block it writes and every Match
> block it parses ends with a line:
>
>
>
> Match All
>
>
>
> to close an existing Match block, That is if you have this:
>
>
>
> Match User servicepptprdvra
> MaxSessions 999
> ClientAliveInterval 360
> ClientAliveCountMax 3
>
> Match All
>
>
>
> and you want augeaus to add UsePrivilegeSeparation yes as so:
>
>
>
> Match User servicepptprdvra
>
> MaxSessions 999
> ClientAliveInterval 360
> ClientAliveCountMax 3
>
> Match All
>
> UsePrivilegeSeparation yes
>
>
>
> Then this UsePrivilegeSeparation will be applied to all users & hosts,
> as desired.
>
>
>
> This is a small restriction on the sshd_config syntax when using augeas,
> but not egregiously so.
>
>
>
> Spike White
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/augeas-devel/attachments/20210424/294b00d3/attachment.htm>
More information about the augeas-devel
mailing list