diff --git a/src/conf-mode/vyos-config-ssh.py b/src/conf-mode/vyos-config-ssh.py
index e91e829b2..be7af64be 100755
--- a/src/conf-mode/vyos-config-ssh.py
+++ b/src/conf-mode/vyos-config-ssh.py
@@ -1,67 +1,224 @@
#!/usr/bin/env python3
#
# Copyright (C) 2018 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#
import sys
import os
import time
from vyos.config import Config
from vyos.util import ConfigError
config_file = r'/etc/ssh/sshd_config'
def get_config():
ssh = {}
conf = Config()
conf.set_level('service ssh')
if not conf.exists(''):
return ssh
+ if conf.exists('access-control allow'):
+ ssh.setdefault('allowed-users', [])
+ allow_user = []
+ allow_user = conf.return_values('access-control allow user')
+ for user in allow_user:
+ ssh['allowed-users'].append(user)
+
+ ssh.setdefault('allowed-groups', [])
+ allow_group = []
+ allow_group = conf.return_values('access-control allow group')
+ for group in allow_group:
+ ssh['allowed-groups'].append(group)
+
+ if conf.exists('access-control deny'):
+ ssh.setdefault('deny-users', [])
+ deny_user = []
+ deny_user = conf.return_values('access-control deny user')
+ for user in deny_user:
+ ssh['deny-users'].append(user)
+
+ ssh.setdefault('deny-groups', [])
+ deny_group = []
+ deny_group = conf.return_values('access-control deny group')
+ for group in deny_group:
+ ssh['deny-groups'].append(group)
+
+ if conf.exists('allow-root'):
+ ssh.setdefault('allow-root', True)
+
+ if conf.exists('ciphers'):
+ ciphers = conf.return_value('ciphers')
+ ssh.setdefault('ciphers', ciphers)
+
+ if conf.exists('disable-host-validation'):
+ ssh.setdefault('disable-host-validation', True)
+
+ if conf.exists('disable-password-authentication'):
+ ssh.setdefault('disable-password-authentication', True)
+
+ if conf.exists('key-exchange'):
+ kex = conf.return_value('key-exchange')
+ ssh.setdefault('key-exchange', kex)
+
+ if conf.exists('listen-address'):
+ ssh.setdefault('listen-address', [])
+ addresses = []
+ addresses = conf.return_values('listen-address')
+ for addr in addresses:
+ ssh['listen-address'].append(addr)
+
+ if conf.exists('loglevel'):
+ level = conf.return_value('loglevel')
+ ssh.setdefault('loglevel', level)
+
+ if conf.exists('mac'):
+ mac = conf.return_value('mac')
+ ssh.setdefault('mac', mac)
+
+ if conf.exists('port'):
+ port = conf.return_value('port')
+ ssh.setdefault('port', port)
+
+ print(ssh)
return ssh
def verify(ssh):
return None
def generate(ssh):
config_header = '### Autogenerated by vyos-config-ssh.py on {tm} ###\n'.format(tm=time.strftime("%a, %d %b %Y %H:%M:%S", time.localtime()))
# write new configuration file
f = open(config_file, 'w')
f.write(config_header)
f.write('\n')
+
+ if 'port' in ssh.keys():
+ f.write('Port {0}\n'.format(ssh['port']))
+ else:
+ f.write('Port 22\n')
+
+ f.write('Protocol 2\n')
+ f.write('HostKey /etc/ssh/ssh_host_rsa_key\n')
+ f.write('HostKey /etc/ssh/ssh_host_dsa_key\n')
+ f.write('HostKey /etc/ssh/ssh_host_ecdsa_key\n')
+ f.write('HostKey /etc/ssh/ssh_host_ed25519_key\n')
+ f.write('UsePrivilegeSeparation yes\n')
+ f.write('\n')
+ f.write('KeyRegenerationInterval 3600\n')
+ f.write('ServerKeyBits 1024\n')
+ f.write('\n')
+ f.write('SyslogFacility AUTH\n')
+
+ if 'loglevel' in ssh.keys():
+ f.write('LogLevel {0}\n'.format(ssh['loglevel']))
+ else:
+ f.write('LogLevel INFO\n')
+
+ f.write('\n')
+ f.write('LoginGraceTime 120\n')
+
+ if 'allow-root' in ssh.keys():
+ f.write('PermitRootLogin yes\n')
+ else:
+ f.write('PermitRootLogin no\n')
+
+ f.write('StrictModes yes\n')
+ f.write('\n')
+ f.write('RSAAuthentication yes\n')
+ f.write('PubkeyAuthentication yes\n')
+ f.write('\n')
+ f.write('IgnoreRhosts yes\n')
+ f.write('RhostsRSAAuthentication no\n')
+ f.write('HostbasedAuthentication no\n')
+ f.write('\n')
+ f.write('PermitEmptyPasswords no\n')
+ f.write('\n')
+ f.write('ChallengeResponseAuthentication no\n')
+ f.write('\n')
+
+ if 'disable-password-authentication' in ssh.keys():
+ f.write('PasswordAuthentication no\n')
+ else:
+ f.write('PasswordAuthentication yes\n')
+
+ f.write('\n')
+ f.write('X11Forwarding yes\n')
+ f.write('X11DisplayOffset 10\n')
+ f.write('PrintMotd no\n')
+ f.write('PrintLastLog yes\n')
+ f.write('TCPKeepAlive yes\n')
+ f.write('\n')
+ f.write('Banner /etc/issue.net\n')
+ f.write('\n')
+ f.write('Subsystem sftp /usr/lib/openssh/sftp-server\n')
+ f.write('\n')
+ f.write('UsePAM yes\n')
+ f.write('HostKey /etc/ssh/ssh_host_key\n')
+
+ if 'disable-host-validation' in ssh.keys():
+ f.write('UseDNS no\n')
+ else:
+ f.write('UseDNS yes\n')
+
+ if 'listen-address' in ssh.keys():
+ for addr in ssh['listen-address']:
+ f.write('ListenAddress {0}\n'.format(addr))
+
+ if 'ciphers' in ssh.keys():
+ f.write('Ciphers {0}\n'.format(ssh['ciphers']))
+
+ if 'key-exchange' in ssh.keys():
+ f.write('KexAlgorithms {0}\n'.format(ssh['key-exchange']))
+
+ if 'mac' in ssh.keys():
+ f.write('MACs {0}\n'.format(ssh['mac']))
+
+ if 'allowed-users' in ssh.keys():
+ print('AllowUsers {0}\n'.format(' '.join(str(usr) for usr in ssh['allowed-users'])))
+
+ if 'allowed-groups' in ssh.keys():
+ print('AllowGroups {0}\n'.format(' '.join(str(grp) for grp in ssh['allowed-groups'])))
+
+ if 'deny-users' in ssh.keys():
+ print('DenyUsers {0}\n'.format(' '.join(str(usr) for usr in ssh['deny-users'])))
+
+ if 'deny-groups' in ssh.keys():
+ print('DenyGroups {0}\n'.format(' '.join(str(grp) for grp in ssh['deny-groups'])))
+
f.close()
return None
def apply(ssh):
- if len(ssh) == 0:
- cmd = "sudo systemctl stop ssh"
+ if 'port' in ssh.keys():
+ cmd = "sudo systemctl restart ssh"
else:
- cmd = "sudo systemctl start ssh"
+ cmd = "sudo systemctl stop ssh"
os.system(cmd)
return None
if __name__ == '__main__':
try:
c = get_config()
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
sys.exit(1)