zzamboni / edit_sshd.cf
Created

Embed URL

HTTPS clone URL

SSH clone URL

You can clone with HTTPS or SSH.

Download Gist

Cfengine bundle for editing sshd configuration file and restarting sshd if needed

View edit_sshd.cf
Raw
File suppressed. Click to show.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 
# Parameters are:

#    file: file to edit

#    params: an array indexed by parameter name, containing the corresponding values. For example:

#      "sshd[Protocol]"                                string => "2";

#      "sshd[X11Forwarding]"                           string => "yes";

#      "sshd[UseDNS]"                                  string => "no";

# Diego Zamboni, November 2010

bundle agent edit_sshd(file,params)

{

files:

  "$(file)"

  handle => "edit_sshd",

  comment => "Set desired sshd_config parameters",

  edit_line => set_config_values("$(params)"),

  classes => if_repaired("restart_sshd");

 

commands:

  restart_sshd.!no_restarts::

    "/etc/init.d/sshd restart"

    handle => "sshd_restart",

    comment => "Restart sshd if the configuration file was modified";

}

 

bundle edit_line set_config_values(v)

 

 # Sets the RHS of configuration items in the file of the form

 #   LHS RHS

 # If the line is commented out with #, it gets uncommented first.

 # Adds a new line if none exists.

 # The argument is an associative array containing v[LHS]="rhs"

 

 # Based on set_variable_values from cfengine_stdlib.cf, modified to

 # use whitespace as separator, and to handle commented-out lines.

 

{

vars:

  "index" slist => getindices("$(v)");

 

  # Be careful if the index string contains funny chars

  "cindex[$(index)]" string => canonify("$(index)");

 

field_edits:

 

  # If the line is there, but commented out, first uncomment it

  "#+$(index)\s+.*"

     edit_field => col("\s+","1","$(index)","set");

 

  # match a line starting like the key something

  "$(index)\s+.*"

     edit_field => col("\s+","2","$($(v)[$(index)])","set"),

        classes => if_ok("not_$(cindex[$(index)])");

 

insert_lines:

 

  "$(index) $($(v)[$(index)])",

      ifvarclass => "!not_$(cindex[$(index)])";

}
View edit_sshd.cf
Raw
File suppressed. Click to show.
1 2 3 4 5 6 7 8 9 10 11 12 13 
bundle agent configfiles

{

vars:

  "sshdconfig" string => "/etc/ssh/sshd_config";

 

  # SSHD configuration to set

  "sshd[Protocol]"                                string => "2";

  "sshd[X11Forwarding]"                           string => "yes";

  "sshd[UseDNS]"                                  string => "no";

 

methods:

  "sshd"    usebundle => edit_sshd("$(sshdconfig)", "configfiles.sshd");

}
svenXY commented

Hi,

thanks for the cool snippet.

It only fails with the following:

#ListenAddress 0.0.0.0
#ListenAddress ::1

and

"sshd[ListenAddress]" string => "192.168.1.1";
"sshd[ListenAddress]" string => "fe80::250:56ff:fec0:8";

because

1) it is not possible to use a key twice
2) and will therefore only ever replace both lines with the last value set in the array (here: the IPv6 address).

Do you have a simple solution for that because here, binding to only one interface is a common case of hardening the system?

Maybe it is possible to assign a list instead:
"sshd[ListenAddress]" string => { "192.168.1.1", "fe80::250:56ff:fec0:8" };

Any hint/solution is greatly appreciated.

Cheers,
Sven

Owner
zzamboni commented

Hi Sven,

Good point - it had not occurred to me that some options can be specified multiple times.

Off the top of my head, the idea would be to specify the value to the config array as an slist, and then have the set_config_values loop over them when this is the case. I'll have to play with it and see if/how it works.

Thanks!
--Diego

svenXY commented

Hi Diego,

do you have an update on this issue meanwhile?

Thanks,
Sven

Owner
zzamboni commented

Hi Sven,

Sorry, I have not had much time to devote to this. It's still in my list, and I hope to get to it soon.

Best regards,
--Diego

fbiryujin commented

When trying to check the promises I see this error: "Redefinition of bundle set_config_values for edit_line is a broken promise, near token '{'" Also this promise won't run in my promises.cf when I bootstrap computers to my policy hub. Is the syntax in this wrong?

Owner
zzamboni commented

fbiryujin: the redefinition error is most likely caused because you are including cfengine_stdlib.cf in your policy, which contains set_config_values already - I included it in this example to make it self contained, but you should remove it if you are using the standard library already. For it to run, you need to include the "configfiles" bundle in your bundlesequence declaration or call it through some other mechanism (e.g. a methods: promise), otherwise it will never get executed.

Owner
zzamboni commented

Another comment: if you want to use this, I'd suggest looking at the networking/ssh sketch in the CFEngine Design Center: https://github.com/cfengine/design-center/tree/master/sketches/networking/ssh, since that is the maintained and updated version of this code.

For an introduction to the Design Center and how to use it, please see https://github.com/cfengine/design-center/wiki

fbiryujin commented

Thanks. I'll give that a shot, and get back to you. It'd be really cool to see a way to get CFEngine code syntax coloring added to Visual Studio, or Xcode.

Owner
zzamboni commented
fbiryujin commented

Interesting. It'd be great to get an Xcode or VS plugin working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.