From 1c936bb38d39b238001364e1a7ee5479bdfff053 Mon Sep 17 00:00:00 2001

From: Dominic Cleal <dcleal@redhat.com>

Date: Fri, 12 Jun 2015 11:01:57 +0100

Subject: [PATCH] Sshd: revert Sshd module to 1.1.0-compatible, add Sshd_140

In order to keep the default sshd config lens compatible with 1.1.0,

the lens from 1.4.0 has been kept in the Sshd_140 module and is not

loaded by default.  Use aug_transform, augtool --transform etc. to use

it instead of Sshd.

---

 lenses/sshd.aug                |  52 +++++-------

 lenses/sshd_140.aug            | 141 +++++++++++++++++++++++++++++++++

 lenses/tests/test_sshd.aug     |  56 -------------

 lenses/tests/test_sshd_140.aug | 136 +++++++++++++++++++++++++++++++

 tests/Makefile.am              |   1 +

 5 files changed, 298 insertions(+), 88 deletions(-)

 create mode 100644 lenses/sshd_140.aug

 create mode 100644 lenses/tests/test_sshd_140.aug

diff --git a/lenses/sshd.aug b/lenses/sshd.aug

index 55f6c4f7..785102ec 100644

--- a/lenses/sshd.aug

+++ b/lenses/sshd.aug

@@ -70,55 +70,41 @@ module Sshd =

    let sep = Util.del_ws_spc

-   let indent = del /[ \t]*/ "  "

-

    let key_re = /[A-Za-z0-9]+/

-         - /MACs|Match|AcceptEnv|Subsystem|Ciphers|KexAlgorithms|(Allow|Deny)(Groups|Users)/i

+         - /MACs|Match|AcceptEnv|Subsystem|(Allow|Deny)(Groups|Users)/

    let comment = Util.comment

-   let comment_noindent = Util.comment_noindent

    let empty = Util.empty

-   let array_entry (kw:regexp) (sq:string) =

+   let array_entry (k:string) =

      let value = store /[^ \t\n]+/ in

-     [ key kw . [ sep . seq sq . value]* . eol ]

+     [ key k . [ sep . seq k . value]* . eol ]

    let other_entry =

      let value = store /[^ \t\n]+([ \t]+[^ \t\n]+)*/ in

      [ key key_re . sep . value . eol ]

-   let accept_env = array_entry /AcceptEnv/i "AcceptEnv"

+   let accept_env = array_entry "AcceptEnv"

-   let allow_groups = array_entry /AllowGroups/i "AllowGroups"

-   let allow_users = array_entry /AllowUsers/i "AllowUsers"

-   let deny_groups = array_entry /DenyGroups/i "DenyGroups"

-   let deny_users = array_entry /DenyUsers/i "DenyUsers"

+   let allow_groups = array_entry "AllowGroups"

+   let allow_users = array_entry "AllowUsers"

+   let deny_groups = array_entry "DenyGroups"

+   let deny_users = array_entry "DenyUsers"

    let subsystemvalue =

      let value = store (/[^ \t\n](.*[^ \t\n])?/) in

      [ key /[A-Za-z0-9\-]+/ . sep . value . eol ]

    let subsystem =

-     [ key /Subsystem/i .  sep .  subsystemvalue ]

+     [ key "Subsystem" .  sep .  subsystemvalue ]

-   let list (kw:regexp) (sq:string) =

-     let value = store /[^, \t\n]+/ in

-     [ key kw . sep .

-         [ seq sq . value ] .

-         ([ seq sq . Util.del_str "," . value])* .

+   let macs =

+     let mac_value = store /[^, \t\n]+/ in

+     [ key "MACs" . sep .

+         [ seq "macs" . mac_value ] .

+         ([ seq "macs" . Util.del_str "," . mac_value])* .

          eol ]

-   let macs = list /MACs/i "MACs"

-

-   let ciphers = list /Ciphers/i "Ciphers"

-

-   let kexalgorithms = list /KexAlgorithms/i "KexAlgorithms"

-

-   let entry = accept_env | allow_groups | allow_users

-             | deny_groups | subsystem | deny_users

-             | macs | ciphers | kexalgorithms

-             | other_entry

-

    let condition_entry =

     let value = store  /[^ \t\n]+/ in

     [ sep . key /[A-Za-z0-9]+/ . sep . value ]

@@ -126,15 +112,17 @@ module Sshd =

    let match_cond =

      [ label "Condition" . condition_entry+ . eol ]

-   let match_entry = indent . (entry | comment_noindent)

-                   | empty 

+   let match_entry =

+     ( comment | empty | (Util.indent . other_entry) )

    let match =

-     [ key /Match/i . match_cond

+     [ key "Match" . match_cond

         . [ label "Settings" .  match_entry+ ]

      ]

-  let lns = (entry | comment | empty)* . match* 

+  let lns = (comment | empty | accept_env | allow_groups | allow_users

+          | deny_groups | subsystem | deny_users | macs

+          | other_entry ) * . match*

   let xfm = transform lns (incl "/etc/ssh/sshd_config")

diff --git a/lenses/sshd_140.aug b/lenses/sshd_140.aug

new file mode 100644

index 00000000..8a7f176f

--- /dev/null

+++ b/lenses/sshd_140.aug

@@ -0,0 +1,141 @@

+(*

+Module: Sshd_140

+  Parses /etc/ssh/sshd_config

+

+  This module is compatible with Augeas 1.4.0, but is not loaded by default.

+

+Author: David Lutterkort lutter@redhat.com

+        Dominique Dumont dominique.dumont@hp.com

+

+About: Reference

+  sshd_config man page.

+  See http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5

+

+About: License

+  This file is licensed under the LGPL v2+.

+

+About: Lens Usage

+  Sample usage of this lens in augtool:

+

+    * Get your current setup

+      > print /files/etc/ssh/sshd_config

+      ...

+

+    * Set X11Forwarding to "no"

+      > set /files/etc/ssh/sshd_config/X11Forwarding "no"

+

+  More advanced usage:

+

+    * Set a Match section

+      > set /files/etc/ssh/sshd_config/Match[1]/Condition/User "foo"

+      > set /files/etc/ssh/sshd_config/Match[1]/Settings/X11Forwarding "yes"

+

+  Saving your file:

+

+      > save

+

+

+About: CAVEATS

+

+  In sshd_config, Match blocks must be located at the end of the file.

+  This means that any new "global" parameters (i.e. outside of a Match

+  block) must be written before the first Match block. By default,

+  Augeas will write new parameters at the end of the file.

+

+  I.e. if you have a Match section and no ChrootDirectory parameter,

+  this command:

+

+     > set /files/etc/ssh/sshd_config/ChrootDirectory "foo"

+

+  will be stored in a new node after the Match section and Augeas will

+  refuse to save sshd_config file.

+

+  To create a new parameter as the right place, you must first create

+  a new Augeas node before the Match section:

+

+     > ins ChrootDirectory before /files/etc/ssh/sshd_config/Match

+

+  Then, you can set the parameter

+

+     > set /files/etc/ssh/sshd_config/ChrootDirectory "foo"

+

+

+About: Configuration files

+  This lens applies to /etc/ssh/sshd_config

+

+*)

+

+module Sshd_140 =

+   let eol = del /[ \t]*\n/ "\n"

+

+   let sep = Util.del_ws_spc

+

+   let indent = del /[ \t]*/ "  "

+

+   let key_re = /[A-Za-z0-9]+/

+         - /MACs|Match|AcceptEnv|Subsystem|Ciphers|KexAlgorithms|(Allow|Deny)(Groups|Users)/i

+

+   let comment = Util.comment

+   let comment_noindent = Util.comment_noindent

+   let empty = Util.empty

+

+   let array_entry (kw:regexp) (sq:string) =

+     let value = store /[^ \t\n]+/ in

+     [ key kw . [ sep . seq sq . value]* . eol ]

+

+   let other_entry =

+     let value = store /[^ \t\n]+([ \t]+[^ \t\n]+)*/ in

+     [ key key_re . sep . value . eol ]

+

+   let accept_env = array_entry /AcceptEnv/i "AcceptEnv"

+

+   let allow_groups = array_entry /AllowGroups/i "AllowGroups"

+   let allow_users = array_entry /AllowUsers/i "AllowUsers"

+   let deny_groups = array_entry /DenyGroups/i "DenyGroups"

+   let deny_users = array_entry /DenyUsers/i "DenyUsers"

+

+   let subsystemvalue =

+     let value = store (/[^ \t\n](.*[^ \t\n])?/) in

+     [ key /[A-Za-z0-9\-]+/ . sep . value . eol ]

+

+   let subsystem =

+     [ key /Subsystem/i .  sep .  subsystemvalue ]

+

+   let list (kw:regexp) (sq:string) =

+     let value = store /[^, \t\n]+/ in

+     [ key kw . sep .

+         [ seq sq . value ] .

+         ([ seq sq . Util.del_str "," . value])* .

+         eol ]

+

+   let macs = list /MACs/i "MACs"

+

+   let ciphers = list /Ciphers/i "Ciphers"

+

+   let kexalgorithms = list /KexAlgorithms/i "KexAlgorithms"

+

+   let entry = accept_env | allow_groups | allow_users

+             | deny_groups | subsystem | deny_users

+             | macs | ciphers | kexalgorithms

+             | other_entry

+

+   let condition_entry =

+    let value = store  /[^ \t\n]+/ in

+    [ sep . key /[A-Za-z0-9]+/ . sep . value ]

+

+   let match_cond =

+     [ label "Condition" . condition_entry+ . eol ]

+

+   let match_entry = indent . (entry | comment_noindent)

+                   | empty 

+

+   let match =

+     [ key /Match/i . match_cond

+        . [ label "Settings" .  match_entry+ ]

+     ]

+

+  let lns = (entry | comment | empty)* . match* 

+

+(* Local Variables: *)

+(* mode: caml       *)

+(* End:             *)

diff --git a/lenses/tests/test_sshd.aug b/lenses/tests/test_sshd.aug

index 5954e16f..788a12f0 100644

--- a/lenses/tests/test_sshd.aug

+++ b/lenses/tests/test_sshd.aug

@@ -1,4 +1,3 @@

-(* Module: Test_sshd *)

 module Test_sshd =

   let accept_env = "Protocol 2

@@ -75,61 +74,6 @@ Match User sarko Group pres.*

 Match User bush Group pres.* Host white.house.*

 Banner /etc/welcome.txt\n"

-(* Test: Sshd.lns

-   Indent when adding to a Match group *)

-  test Sshd.lns put match_blocks after

-    set "Match[1]/Settings/PermitRootLogin" "yes";

-    set "Match[1]/Settings/#comment" "a comment" =

-"X11Forwarding yes

-Match User sarko Group pres.*

-  Banner /etc/bienvenue.txt

-  X11Forwarding no

-  PermitRootLogin yes

-  # a comment

-Match User bush Group pres.* Host white.house.*

-Banner /etc/welcome.txt\n"

-

-

-(* Test: Sshd.lns

-     Parse Ciphers and KexAlgorithms as lists (GH issue #69) *)

-test Sshd.lns get "Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr

-KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1\n" =

-  { "Ciphers"

-    { "1" = "aes256-gcm@openssh.com" }

-    { "2" = "aes128-gcm@openssh.com" }

-    { "3" = "aes256-ctr" }

-    { "4" = "aes128-ctr" }

-  }

-  { "KexAlgorithms"

-    { "1" = "diffie-hellman-group-exchange-sha256" }

-    { "2" = "diffie-hellman-group14-sha1" }

-    { "3" = "diffie-hellman-group-exchange-sha1" }

-  }

-

-(* Test: Sshd.lns

-     Keys are case-insensitive *)

-test Sshd.lns get "ciPheRs aes256-gcm@openssh.com,aes128-ctr

-maTcH User foo

-  x11forwarding no\n" =

-  { "ciPheRs"

-    { "1" = "aes256-gcm@openssh.com" }

-    { "2" = "aes128-ctr" }

-  }

-  { "maTcH"

-    { "Condition"

-      { "User" = "foo" }

-    }

-    { "Settings"

-      { "x11forwarding" = "no" }

-    }

-  }

-

-(* Test: Sshd.lns

-     Allow AllowGroups in Match groups (GH issue #75) *)

-test Sshd.lns get "Match User foo

-AllowGroups users\n" =

-  { "Match" { "Condition" { "User" = "foo" } }

-    { "Settings" { "AllowGroups" { "1" = "users" } } } }

 (* Local Variables: *)

 (* mode: caml       *)

diff --git a/lenses/tests/test_sshd_140.aug b/lenses/tests/test_sshd_140.aug

new file mode 100644

index 00000000..056c53f9

--- /dev/null

+++ b/lenses/tests/test_sshd_140.aug

@@ -0,0 +1,136 @@

+(* Module: Test_sshd_140 *)

+module Test_sshd_140 =

+

+  let accept_env = "Protocol 2

+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

+AcceptEnv LC_IDENTIFICATION LC_ALL\n"

+

+  test Sshd_140.lns get accept_env =

+    { "Protocol" = "2" }

+    { "AcceptEnv"

+        { "1" = "LC_PAPER" }

+        { "2" = "LC_NAME" }

+        { "3" = "LC_ADDRESS" }

+        { "4" = "LC_TELEPHONE" }

+        { "5" = "LC_MEASUREMENT" } }

+    { "AcceptEnv"

+        { "6" = "LC_IDENTIFICATION" }

+        { "7" = "LC_ALL" } }

+

+

+  test Sshd_140.lns get "HostKey /etc/ssh/ssh_host_rsa_key

+HostKey /etc/ssh/ssh_host_dsa_key\n" =

+    { "HostKey" = "/etc/ssh/ssh_host_rsa_key" }

+    { "HostKey" = "/etc/ssh/ssh_host_dsa_key" }

+

+

+  test Sshd_140.lns put accept_env after

+      rm "AcceptEnv";

+      rm "AcceptEnv";

+      set "Protocol" "1.5";

+      set "X11Forwarding" "yes"

+   = "Protocol 1.5\nX11Forwarding yes\n"

+

+  test Sshd_140.lns get "AuthorizedKeysFile  %h/.ssh/authorized_keys\n" =

+    { "AuthorizedKeysFile" = "%h/.ssh/authorized_keys" }

+

+  test Sshd_140.lns get "Subsystem sftp /usr/lib/openssh/sftp-server\n" =

+    { "Subsystem"

+	{ "sftp" = "/usr/lib/openssh/sftp-server" } }

+

+  test Sshd_140.lns get "Subsystem sftp-test /usr/lib/openssh/sftp-server\n" =

+    { "Subsystem"

+	{ "sftp-test" = "/usr/lib/openssh/sftp-server" } }

+

+

+

+  let match_blocks = "X11Forwarding yes

+Match User sarko Group pres.*

+  Banner /etc/bienvenue.txt

+  X11Forwarding no

+Match User bush Group pres.* Host white.house.*

+Banner /etc/welcome.txt

+"

+  test Sshd_140.lns get match_blocks =

+    { "X11Forwarding" = "yes"}

+      { "Match"

+	  { "Condition" { "User" = "sarko"   }

+	                { "Group" = "pres.*" } }

+	  { "Settings"  { "Banner" = "/etc/bienvenue.txt" }

+       	                { "X11Forwarding" = "no" } } }

+      { "Match"

+	  { "Condition" { "User" = "bush"    }

+	                { "Group" = "pres.*" }

+	                { "Host"  = "white.house.*" } }

+	  { "Settings"  { "Banner" = "/etc/welcome.txt" } } }

+

+  test Sshd_140.lns put match_blocks after

+    insb "Subsystem" "/Match[1]";

+    set "/Subsystem/sftp" "/usr/libexec/openssh/sftp-server"

+  = "X11Forwarding yes

+Subsystem sftp /usr/libexec/openssh/sftp-server

+Match User sarko Group pres.*

+  Banner /etc/bienvenue.txt

+  X11Forwarding no

+Match User bush Group pres.* Host white.house.*

+Banner /etc/welcome.txt\n"

+

+(* Test: Sshd_140.lns

+   Indent when adding to a Match group *)

+  test Sshd_140.lns put match_blocks after

+    set "Match[1]/Settings/PermitRootLogin" "yes";

+    set "Match[1]/Settings/#comment" "a comment" =

+"X11Forwarding yes

+Match User sarko Group pres.*

+  Banner /etc/bienvenue.txt

+  X11Forwarding no

+  PermitRootLogin yes

+  # a comment

+Match User bush Group pres.* Host white.house.*

+Banner /etc/welcome.txt\n"

+

+

+(* Test: Sshd_140.lns

+     Parse Ciphers and KexAlgorithms as lists (GH issue #69) *)

+test Sshd_140.lns get "Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr

+KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1\n" =

+  { "Ciphers"

+    { "1" = "aes256-gcm@openssh.com" }

+    { "2" = "aes128-gcm@openssh.com" }

+    { "3" = "aes256-ctr" }

+    { "4" = "aes128-ctr" }

+  }

+  { "KexAlgorithms"

+    { "1" = "diffie-hellman-group-exchange-sha256" }

+    { "2" = "diffie-hellman-group14-sha1" }

+    { "3" = "diffie-hellman-group-exchange-sha1" }

+  }

+

+(* Test: Sshd_140.lns

+     Keys are case-insensitive *)

+test Sshd_140.lns get "ciPheRs aes256-gcm@openssh.com,aes128-ctr

+maTcH User foo

+  x11forwarding no\n" =

+  { "ciPheRs"

+    { "1" = "aes256-gcm@openssh.com" }

+    { "2" = "aes128-ctr" }

+  }

+  { "maTcH"

+    { "Condition"

+      { "User" = "foo" }

+    }

+    { "Settings"

+      { "x11forwarding" = "no" }

+    }

+  }

+

+(* Test: Sshd_140.lns

+     Allow AllowGroups in Match groups (GH issue #75) *)

+test Sshd_140.lns get "Match User foo

+AllowGroups users\n" =

+  { "Match" { "Condition" { "User" = "foo" } }

+    { "Settings" { "AllowGroups" { "1" = "users" } } } }

+

+(* Local Variables: *)

+(* mode: caml       *)

+(* End:             *)

diff --git a/tests/Makefile.am b/tests/Makefile.am

index b4563540..387ac7d2 100644

--- a/tests/Makefile.am

+++ b/tests/Makefile.am

@@ -189,6 +189,7 @@ lens_tests =			\

   lens-squid.sh			\

   lens-ssh.sh			\

   lens-sshd.sh			\

+  lens-sshd_140.sh			\

   lens-sssd.sh			\

   lens-stunnel.sh			\

   lens-subversion.sh		\

-- 

2.17.2