Cfengine bundle for editing sshd configuration file and restarting sshd if needed

edit_sshd.cf

# Parameters are:
#    file: file to edit
#    params: an array indexed by parameter name, containing the corresponding values. For example:
#      "sshd[Protocol]"                                string => "2";
#      "sshd[X11Forwarding]"                           string => "yes";
#      "sshd[UseDNS]"                                  string => "no";
# Diego Zamboni, November 2010
bundle agent edit_sshd(file,params)
{
files:
  "$(file)"
  handle => "edit_sshd",
  comment => "Set desired sshd_config parameters",
  edit_line => set_config_values("$(params)"),
  classes => if_repaired("restart_sshd");

commands:
  restart_sshd.!no_restarts::
    "/etc/init.d/sshd restart"
    handle => "sshd_restart",
    comment => "Restart sshd if the configuration file was modified";
}

bundle edit_line set_config_values(v)

 # Sets the RHS of configuration items in the file of the form
 #   LHS RHS
 # If the line is commented out with #, it gets uncommented first.
 # Adds a new line if none exists.
 # The argument is an associative array containing v[LHS]="rhs"
 
 # Based on set_variable_values from cfengine_stdlib.cf, modified to
 # use whitespace as separator, and to handle commented-out lines.
 
{
vars:
  "index" slist => getindices("$(v)");

  # Be careful if the index string contains funny chars
  "cindex[$(index)]" string => canonify("$(index)");

field_edits:

  # If the line is there, but commented out, first uncomment it
  "#+$(index)\s+.*"
     edit_field => col("\s+","1","$(index)","set");

  # match a line starting like the key something
  "$(index)\s+.*"
     edit_field => col("\s+","2","$($(v)[$(index)])","set"),
        classes => if_ok("not_$(cindex[$(index)])");

insert_lines:

  "$(index) $($(v)[$(index)])",
      ifvarclass => "!not_$(cindex[$(index)])";
}

use_edit_sshd.cf

bundle agent configfiles
{
vars:
  "sshdconfig" string => "/etc/ssh/sshd_config";

  # SSHD configuration to set
  "sshd[Protocol]"                                string => "2";
  "sshd[X11Forwarding]"                           string => "yes";
  "sshd[UseDNS]"                                  string => "no";

methods:
  "sshd"    usebundle => edit_sshd("$(sshdconfig)", "configfiles.sshd");
}

Hi,

thanks for the cool snippet.

It only fails with the following:

ListenAddress 0.0.0.0

ListenAddress ::1

and

"sshd[ListenAddress]" string => "192.168.1.1";
"sshd[ListenAddress]" string => "fe80::250:56ff:fec0:8";

because

1. it is not possible to use a key twice
2. and will therefore only ever replace both lines with the last value set in the array (here: the IPv6 address).

Do you have a simple solution for that because here, binding to only one interface is a common case of hardening the system?

Maybe it is possible to assign a list instead:
"sshd[ListenAddress]" string => { "192.168.1.1", "fe80::250:56ff:fec0:8" };

Any hint/solution is greatly appreciated.

Cheers,
Sven

Hi,

thanks for the cool snippet.

It only fails with the following:

ListenAddress 0.0.0.0

ListenAddress ::1

and

"sshd[ListenAddress]" string => "192.168.1.1";
"sshd[ListenAddress]" string => "fe80::250:56ff:fec0:8";

because

1. it is not possible to use a key twice
2. and will therefore only ever replace both lines with the last value set in the array (here: the IPv6 address).

Do you have a simple solution for that because here, binding to only one interface is a common case of hardening the system?

Maybe it is possible to assign a list instead:
"sshd[ListenAddress]" string => { "192.168.1.1", "fe80::250:56ff:fec0:8" };

Any hint/solution is greatly appreciated.

Cheers,
Sven

Hi Sven,

Good point - it had not occurred to me that some options can be specified multiple times.

Off the top of my head, the idea would be to specify the value to the config array as an slist, and then have the set_config_values loop over them when this is the case. I'll have to play with it and see if/how it works.

Thanks!
--Diego

Hi Sven,

Good point - it had not occurred to me that some options can be specified multiple times.

Off the top of my head, the idea would be to specify the value to the config array as an slist, and then have the set_config_values loop over them when this is the case. I'll have to play with it and see if/how it works.

Thanks!
--Diego

Hi Diego,

do you have an update on this issue meanwhile?

Thanks,
Sven

Hi Diego,

do you have an update on this issue meanwhile?

Thanks,
Sven

Hi Sven,

Sorry, I have not had much time to devote to this. It's still in my list, and I hope to get to it soon.

Best regards,
--Diego

Hi Sven,

Sorry, I have not had much time to devote to this. It's still in my list, and I hope to get to it soon.

Best regards,
--Diego

When trying to check the promises I see this error: "Redefinition of bundle set_config_values for edit_line is a broken promise, near token '{'" Also this promise won't run in my promises.cf when I bootstrap computers to my policy hub. Is the syntax in this wrong?

When trying to check the promises I see this error: "Redefinition of bundle set_config_values for edit_line is a broken promise, near token '{'" Also this promise won't run in my promises.cf when I bootstrap computers to my policy hub. Is the syntax in this wrong?

fbiryujin: the redefinition error is most likely caused because you are including cfengine_stdlib.cf in your policy, which contains set_config_values already - I included it in this example to make it self contained, but you should remove it if you are using the standard library already. For it to run, you need to include the "configfiles" bundle in your bundlesequence declaration or call it through some other mechanism (e.g. a methods: promise), otherwise it will never get executed.

fbiryujin: the redefinition error is most likely caused because you are including cfengine_stdlib.cf in your policy, which contains set_config_values already - I included it in this example to make it self contained, but you should remove it if you are using the standard library already. For it to run, you need to include the "configfiles" bundle in your bundlesequence declaration or call it through some other mechanism (e.g. a methods: promise), otherwise it will never get executed.

Another comment: if you want to use this, I'd suggest looking at the networking/ssh sketch in the CFEngine Design Center: https://github.com/cfengine/design-center/tree/master/sketches/networking/ssh, since that is the maintained and updated version of this code.

For an introduction to the Design Center and how to use it, please see https://github.com/cfengine/design-center/wiki

Another comment: if you want to use this, I'd suggest looking at the networking/ssh sketch in the CFEngine Design Center: https://github.com/cfengine/design-center/tree/master/sketches/networking/ssh, since that is the maintained and updated version of this code.

For an introduction to the Design Center and how to use it, please see https://github.com/cfengine/design-center/wiki

Thanks. I'll give that a shot, and get back to you. It'd be really cool to see a way to get CFEngine code syntax coloring added to Visual Studio, or Xcode.

Thanks. I'll give that a shot, and get back to you. It'd be really cool to see a way to get CFEngine code syntax coloring added to Visual Studio, or Xcode.

There are Cfengine modes for both Emacs and vi, but I don't know of any support for visual studio or Xcode.

…

--Diego

On Jun 20, 2012, at 11:49 AM, ***@***.*** wrote: Thanks. I'll give that a shot, and get back to you. It'd be really cool to see a way to get CFEngine code syntax coloring added to Visual Studio, or Xcode. --- Reply to this email directly or view it on GitHub: https://gist.github.com/714948

There are Cfengine modes for both Emacs and vi, but I don't know of any support for visual studio or Xcode.

…

--Diego

On Jun 20, 2012, at 11:49 AM, ***@***.*** wrote: Thanks. I'll give that a shot, and get back to you. It'd be really cool to see a way to get CFEngine code syntax coloring added to Visual Studio, or Xcode. --- Reply to this email directly or view it on GitHub: https://gist.github.com/714948

Interesting. It'd be great to get an Xcode or VS plugin working.

Interesting. It'd be great to get an Xcode or VS plugin working.