Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ust 3664/openssh techniques add possibility to listen address #717

Merged
merged 2 commits into from
Jul 9, 2015
Merged

Ust 3664/openssh techniques add possibility to listen address #717

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8f7ceda
Refs #3664: initial commit for SSH Configuratio Technique v5.0
ncharles Jul 9, 2015
68f446c
Fixes #3664: openssh techniques: add possibility to listen address
ncharles Jul 9, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions techniques/system/common/1.0/rudder_stdlib.st
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,12 @@ bundle edit_line rudder_common_disclaimer
insert_type => "preserve_block";
}

# Select lines for deletion
# Select the lines that are not in the list (complete line match)
body delete_select rudder_delete_if_not_in_list(lines_to_delete)
{
delete_if_not_match_from_list => { @{lines_to_delete} };
}
#
# Select files older than X months
#
Expand Down
34 changes: 34 additions & 0 deletions techniques/systemSettings/remoteAccess/sshConfiguration/5.0/bodies.st
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
#####################################################################################
# Copyright 2011-2013 Normation SAS
#####################################################################################
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, Version 3.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#####################################################################################

#
# Configure the port numbers/listen addresses in the OpenSSH configuration file
# The first arguement is the name of parameter in the config file, second is the values (either a string or a slist)
#
bundle edit_line rudder_openssh_server_parameters_configuration(parameter_name, values)
{
vars:
"entries" slist => maplist("${parameter_name} ${this}", "values");

delete_lines:
"${parameter_name}.*"
delete_select => rudder_delete_if_not_in_list("@{this.entries}");

insert_lines:
"${entries}";
}
17 changes: 17 additions & 0 deletions techniques/systemSettings/remoteAccess/sshConfiguration/5.0/changelog
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
-- Jonathan CLARKE <jonathan.clarke@normation.com> Wed Feb 22 18:42:29 2012 +0100
* Version 1.0
** Initial version
-- Matthieu CERDA <matthieu.cerda@normation.com> Thu Dec 20 17:46:24 2012 +0100
* Version 2.0
** Converted the OpenSSH server Technique to the new reporting format
-- Nicolas Charles <nicolas.charles@normation.com> Thu Feb 14 16:01:25 2013 +0100
* Version 3.0
** Improves the uses of conventions in the ssh technique
** Remove unused parameters
-- Matthieu CERDA <matthieu.cerda@normation.com> Wed Sep 10 15:39:37 2014 +0200
* Version 4.0
** Support AIX
** Support systemd
-- Nicolas CHARLES <nicolas.charles@normation.com> Thu Jul 09 10:01:37 2015 +0200
* Version 5.0
** Add possibility to configure Listen Adresses
279 changes: 279 additions & 0 deletions techniques/systemSettings/remoteAccess/sshConfiguration/5.0/config.st
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,279 @@
#####################################################################################
# Copyright 2011-2013 Normation SAS
#####################################################################################
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, Version 3.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#####################################################################################

#####################################################################################
# This Technique installs and configures OpenSSH. See metadata.xml for more details.
#####################################################################################

bundle agent rudder_openssh_server
{
vars:
"rudder_openssh_server_service_name"
string => "OpenSSH server";

# Prefix for all the defined classes
"rudder_class_prefix"
string => "rudder_openssh_server";

# This is the file to edit
"rudder_openssh_server_config[sshd_config_file]"
string => "&OPENSSH_SERVER_CONFFILE&";

"rudder_openssh_server_config[sshd_config_ports]"
slist => {&OPENSSH_SERVER_PORTS: { "&it&" };separator=", "&};

"rudder_openssh_server_config[sshd_config_addresses]"
slist => {&OPENSSH_SERVER_ADDRESSES: { "&it&" };separator=", "&};

# This is the reporting information to be added
"rudder_openssh_server_config[report]"
string => "&TRACKINGKEY&";

# Variable that holds if we want to edit ports
"rudder_openssh_server_config[edit_ports]"
string => "&OPENSSH_SERVER_PORTSEDIT&";

# Variable that holds if we want to edit listenning addresses
"rudder_openssh_server_config[edit_addresses]"
string => "&OPENSSH_SERVER_ADDRESSESEDIT&";

# Class specific parameters
rudder_openssh_server_address_family_edit.!(debian_3|redhat_3|redhat_4|centos_3|centos_4)::
"rudder_openssh_server_config[config][AddressFamily]"
string => "&OPENSSH_SERVER_ADDRESSFAMILY&";

rudder_openssh_server_protocol_edit::
"rudder_openssh_server_config[config][Protocol]"
string => "&OPENSSH_SERVER_PROTOCOL&";

rudder_openssh_server_max_sessions_edit.!(redhat_3|redhat_4|redhat_5|centos_3|centos_4|centos_5|SuSE_10|debian_3|debian_4|aix_5_3|aix_5_2|aix_5_1)::
"rudder_openssh_server_config[config][MaxSessions]"
string => "&OPENSSH_SERVER_MAXSESSIONS&";

rudder_openssh_server_challenge_response_authentication_edit::
"rudder_openssh_server_config[config][ChallengeResponseAuthentication]"
string => "&OPENSSH_SERVER_CHALLENGERESPONSEAUTHENTICATION&";

rudder_openssh_server_password_authentication_edit::
"rudder_openssh_server_config[config][PasswordAuthentication]"
string => "&OPENSSH_SERVER_PASSWORDAUTHENTICATION&";

rudder_openssh_server_pubkey_authentication_edit::
"rudder_openssh_server_config[config][PubkeyAuthentication]"
string => "&OPENSSH_SERVER_PUBKEYAUTHENTICATION&";

rudder_openssh_server_permit_empty_passwords_edit::
"rudder_openssh_server_config[config][PermitEmptyPasswords]"
string => "&OPENSSH_SERVER_PERMITEMPTYPASSWORDS&";

rudder_openssh_server_permit_root_login_edit::
"rudder_openssh_server_config[config][PermitRootLogin]"
string => "&OPENSSH_SERVER_PERMITROOTLOGIN&";

rudder_openssh_server_max_auth_tries_edit.!(debian_3|redhat_3|centos_3)::
"rudder_openssh_server_config[config][MaxAuthTries]"
string => "&OPENSSH_SERVER_MAXAUTHTRIES&";

rudder_openssh_server_login_grace_time_edit::
"rudder_openssh_server_config[config][LoginGraceTime]"
string => "&OPENSSH_SERVER_LOGINGRACETIME&";

rudder_openssh_server_use_privilege_separation_edit::
"rudder_openssh_server_config[config][UsePrivilegeSeparation]"
string => "&OPENSSH_SERVER_USEPRIVILEGESEPARATION&";

rudder_openssh_server_strict_modes_edit::
"rudder_openssh_server_config[config][StrictModes]"
string => "&OPENSSH_SERVER_STRICTMODES&";

rudder_openssh_server_allow_agent_forwarding_edit.!(redhat|SuSE|debian_3|debian_4)::
"rudder_openssh_server_config[config][AllowAgentForwarding]"
string => "&OPENSSH_SERVER_ALLOWAGENTFORWARDING&";

rudder_openssh_server_allow_tcp_forwarding_edit::
"rudder_openssh_server_config[config][AllowTcpForwarding]"
string => "&OPENSSH_SERVER_ALLOWTCPFORWARDING&";

rudder_openssh_server_permit_tunnel_edit.!(SuSE|debian_3|redhat_3|redhat_4|centos_3|centos_4)::
"rudder_openssh_server_config[config][PermitTunnel]"
string => "&OPENSSH_SERVER_PERMITTUNNEL&";

rudder_openssh_server_permit_user_environment_edit::
"rudder_openssh_server_config[config][PermitUserEnvironment]"
string => "&OPENSSH_SERVER_PERMITUSERENVIRONMENT&";

rudder_openssh_server_x11_forwarding_edit::
"rudder_openssh_server_config[config][X11Forwarding]"
string => "&OPENSSH_SERVER_X11FORWARDING&";

rudder_openssh_server_print_lastlog_edit::
"rudder_openssh_server_config[config][PrintLastLog]"
string => "&OPENSSH_SERVER_PRINTLASTLOG&";

rudder_openssh_server_printmotd_edit::
"rudder_openssh_server_config[config][PrintMotd]"
string => "&OPENSSH_SERVER_PRINTMOTD&";

rudder_openssh_server_tcp_keepalive_edit.!(redhat_3|centos_3)::
"rudder_openssh_server_config[config][TCPKeepAlive]"
string => "&OPENSSH_SERVER_TCPKEEPALIVE&";

rudder_openssh_server_log_level_edit::
"rudder_openssh_server_config[config][LogLevel]"
string => "&OPENSSH_SERVER_LOGLEVEL&";

rudder_openssh_server_syslog_facility_edit::
"rudder_openssh_server_config[config][SyslogFacility]"
string => "&OPENSSH_SERVER_SYSLOGFACILITY&";

classes:
# AddressFamily edition ?
"rudder_openssh_server_address_family_edit"
not => strcmp("&OPENSSH_SERVER_ADDRESSFAMILY&","dontchange");

# Protocol edition ?
"rudder_openssh_server_protocol_edit"
not => strcmp("&OPENSSH_SERVER_PROTOCOL&","dontchange");

# MaxSessions edition ?
"rudder_openssh_server_max_sessions_edit"
not => strcmp("&OPENSSH_SERVER_MAXSESSIONS&","dontchange");

# ChallengeResponseAuthentication edition ?
"rudder_openssh_server_challenge_response_authentication_edit"
not => strcmp("&OPENSSH_SERVER_CHALLENGERESPONSEAUTHENTICATION&","dontchange");

# PasswordAuthentication edition ?
"rudder_openssh_server_password_authentication_edit"
not => strcmp("&OPENSSH_SERVER_PASSWORDAUTHENTICATION&","dontchange");

# PubkeyAuthentication edition ?
"rudder_openssh_server_pubkey_authentication_edit"
not => strcmp("&OPENSSH_SERVER_PUBKEYAUTHENTICATION&","dontchange");

# PermitEmptyPasswords edition ?
"rudder_openssh_server_permit_empty_passwords_edit"
not => strcmp("&OPENSSH_SERVER_PERMITEMPTYPASSWORDS&","dontchange");

# PermitRootLogin edition ?
"rudder_openssh_server_permit_root_login_edit"
not => strcmp("&OPENSSH_SERVER_PERMITROOTLOGIN&","dontchange");

# MaxAuthTries edition ?
"rudder_openssh_server_max_auth_tries_edit"
not => strcmp("&OPENSSH_SERVER_MAXAUTHTRIES&","dontchange");

# LoginGraceTime edition ?
"rudder_openssh_server_login_grace_time_edit"
not => strcmp("&OPENSSH_SERVER_LOGINGRACETIME&","dontchange");

# UsePrivilegeSeparation edition ?
"rudder_openssh_server_use_privilege_separation_edit"
not => strcmp("&OPENSSH_SERVER_USEPRIVILEGESEPARATION&","dontchange");

# StrictModes edition ?
"rudder_openssh_server_strict_modes_edit"
not => strcmp("&OPENSSH_SERVER_STRICTMODES&","dontchange");

# AllowAgentForwarding edition ?
"rudder_openssh_server_allow_agent_forwarding_edit"
not => strcmp("&OPENSSH_SERVER_ALLOWAGENTFORWARDING&","dontchange");

# AllowTcpForwarding edition ?
"rudder_openssh_server_allow_tcp_forwarding_edit"
not => strcmp("&OPENSSH_SERVER_ALLOWTCPFORWARDING&","dontchange");

# PermitTunnel edition ?
"rudder_openssh_server_permit_tunnel_edit"
not => strcmp("&OPENSSH_SERVER_PERMITTUNNEL&","dontchange");

# PermitUserEnvironment edition ?
"rudder_openssh_server_permit_user_environment_edit"
not => strcmp("&OPENSSH_SERVER_PERMITUSERENVIRONMENT&","dontchange");

# X11Forwarding edition ?
"rudder_openssh_server_x11_forwarding_edit"
not => strcmp("&OPENSSH_SERVER_X11FORWARDING&","dontchange");

# PrintLastLog edition ?
"rudder_openssh_server_print_lastlog_edit"
not => strcmp("&OPENSSH_SERVER_PRINTLASTLOG&","dontchange");

# PrintMotd edition ?
"rudder_openssh_server_printmotd_edit"
not => strcmp("&OPENSSH_SERVER_PRINTMOTD&","dontchange");

# TCPKeepAlive edition ?
"rudder_openssh_server_tcp_keepalive_edit"
not => strcmp("&OPENSSH_SERVER_TCPKEEPALIVE&","dontchange");

# LogLevel edition ?
"rudder_openssh_server_log_level_edit"
not => strcmp("&OPENSSH_SERVER_LOGLEVEL&","dontchange");

# SyslogFacility edition ?
"rudder_openssh_server_syslog_facility_edit"
not => strcmp("&OPENSSH_SERVER_SYSLOGFACILITY&","dontchange");

# Defines a class to describe we are at the second iteration
# When iteration_2 is defined, it means all the variable are defined
"iteration_2"
expression => "iteration_1";

"iteration_1"
expression => "any";


methods:
# Note:
# The reporting is made on separate bundles to abstract the complexity
# inherent to the normal ordering.
"any" usebundle => rudder_openssh_server_installation("${rudder_class_prefix}", "${rudder_openssh_server_service_name}", "rudder_openssh_server.rudder_openssh_server_config");
"any" usebundle => rudder_openssh_server_installation_reporting("${rudder_class_prefix}", "${rudder_openssh_server_service_name}", "rudder_openssh_server.rudder_openssh_server_config");
"any" usebundle => rudder_openssh_server_check_ssh_installation();
"any" usebundle => rudder_openssh_server_check_ssh_installation_reporting("${rudder_class_prefix}", "${rudder_openssh_server_service_name}", "rudder_openssh_server.rudder_openssh_server_config");


iteration_2::
"any" usebundle => rudder_openssh_server_configuration("${rudder_class_prefix}", "${rudder_openssh_server_service_name}", "rudder_openssh_server.rudder_openssh_server_config");
"any" usebundle => rudder_openssh_server_configuration_reporting("${rudder_class_prefix}", "${rudder_openssh_server_service_name}", "rudder_openssh_server.rudder_openssh_server_config");

# Warn about features that are not implemented on all platforms

"any"
usebundle => rudder_common_report("${rudder_openssh_server_service_name}", "log_warn", "&TRACKINGKEY&", "SSH configuration", "None", "The ${rudder_openssh_server_service_name} parameter \"address family\" isn't implemented on Red Hat/CentOS/SuSE/Debian 3 and 4"),
ifvarclass => "rudder_openssh_server_address_family_edit.(debian_3|redhat_3|redhat_4|centos_3|centos_4)";
"any"
usebundle => rudder_common_report("${rudder_openssh_server_service_name}", "log_warn", "&TRACKINGKEY&", "SSH configuration", "None", "The ${rudder_openssh_server_service_name} parameter \"maximum authentication attemps per connection\" isn't implemented on Red Hat/CentOS"),
ifvarclass => "rudder_openssh_server_max_auth_tries_edit.(redhat_3|centos_3|debian_3)";

"any"
usebundle => rudder_common_report("${rudder_openssh_server_service_name}", "log_warn", "&TRACKINGKEY&", "SSH configuration", "None", "The ${rudder_openssh_server_service_name} parameter \"agent forwarding\" isn't implemented on Red Hat/CentOS/SuSE/Debian 3 and 4"),
ifvarclass => "rudder_openssh_server_allow_agent_forwarding_edit.(redhat|SuSE|debian_3|debian_4)";
"any"
usebundle => rudder_common_report("${rudder_openssh_server_service_name}", "log_warn", "&TRACKINGKEY&", "SSH configuration", "None", "The ${rudder_openssh_server_service_name} parameter \"max sessions\" isn't implemented on Red Hat/CentOS 3,4,5, SuSE 10 and Debian 3 and 4"),
ifvarclass => "rudder_openssh_server_max_sessions_edit.(redhat_3|redhat_4|redhat_5|centos_3|centos_4|centos_5|SuSE_10|SuSE|debian_3|debian_4|aix_5_3|aix_5_2|aix_5_1)";
"any"
usebundle => rudder_common_report("${rudder_openssh_server_service_name}", "log_warn", "&TRACKINGKEY&", "SSH configuration", "None", "The ${rudder_openssh_server_service_name} parameter \"permit tunnel\" isn't implemented on SuSE/Debian 3/Redhat/CentOS3 and 4"),
ifvarclass => "rudder_openssh_server_permit_tunnel_edit.(SuSE|debian_3|redhat_3|redhat_4|centos_3|centos_4)";
"any"
usebundle => rudder_common_report("${rudder_openssh_server_service_name}", "log_warn", "&TRACKINGKEY&", "SSH configuration", "None", "The ${rudder_openssh_server_service_name} parameter \"TCP Keep Alive (Time before disconnect)\" isn't implemented on Red Hat/CentOS 3"),
ifvarclass => "rudder_openssh_server_tcp_keepalive_edit.(redhat_3|centos_3)";


}
Loading