3 Parses /etc/ssh/sshd_config
5 Author: David Lutterkort lutter@redhat.com
6 Dominique Dumont dominique.dumont@hp.com
10 See http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
13 This file is licensed under the LGPL v2+.
16 Sample usage of this lens in augtool:
18 * Get your current setup
19 > print /files/etc/ssh/sshd_config
22 * Set X11Forwarding to "no"
23 > set /files/etc/ssh/sshd_config/X11Forwarding "no"
28 > set /files/etc/ssh/sshd_config/Match[1]/Condition/User "foo"
29 > set /files/etc/ssh/sshd_config/Match[1]/Settings/X11Forwarding "yes"
38 In sshd_config, Match blocks must be located at the end of the file.
39 This means that any new "global" parameters (i.e. outside of a Match
40 block) must be written before the first Match block. By default,
41 Augeas will write new parameters at the end of the file.
43 I.e. if you have a Match section and no ChrootDirectory parameter,
46 > set /files/etc/ssh/sshd_config/ChrootDirectory "foo"
48 will be stored in a new node after the Match section and Augeas will
49 refuse to save sshd_config file.
51 To create a new parameter as the right place, you must first create
52 a new Augeas node before the Match section:
54 > ins ChrootDirectory before /files/etc/ssh/sshd_config/Match
56 Then, you can set the parameter
58 > set /files/etc/ssh/sshd_config/ChrootDirectory "foo"
61 About: Configuration files
62 This lens applies to /etc/ssh/sshd_config
69 let eol = del /[ \t]*\n/ "\n"
71 let sep = del /[ \t=]+/ " "
73 let indent = del /[ \t]*/ " "
75 let key_re = /[A-Za-z0-9]+/
76 - /MACs|Match|AcceptEnv|Subsystem|Ciphers|((GSSAPI|)Kex|HostKey|CASignature|PubkeyAccepted)Algorithms|PubkeyAcceptedKeyTypes|(Allow|Deny)(Groups|Users)/i
78 let comment = Util.comment
79 let comment_noindent = Util.comment_noindent
80 let empty = Util.empty
82 let array_entry (kw:regexp) (sq:string) =
83 let bare = Quote.do_quote_opt_nil (store /[^"' \t\n=]+/) in
84 let quoted = Quote.do_quote (store /[^"'\n]*[ \t]+[^"'\n]*/) in
86 . ( [ sep . seq sq . bare ] | [ sep . seq sq . quoted ] )*
90 let value = store /[^ \t\n=]+([ \t=]+[^ \t\n=]+)*/ in
91 [ key key_re . sep . value . eol ]
93 let accept_env = array_entry /AcceptEnv/i "AcceptEnv"
95 let allow_groups = array_entry /AllowGroups/i "AllowGroups"
96 let allow_users = array_entry /AllowUsers/i "AllowUsers"
97 let deny_groups = array_entry /DenyGroups/i "DenyGroups"
98 let deny_users = array_entry /DenyUsers/i "DenyUsers"
101 let value = store (/[^ \t\n=](.*[^ \t\n=])?/) in
102 [ key /[A-Za-z0-9\-]+/ . sep . value . eol ]
105 [ key /Subsystem/i . sep . subsystemvalue ]
107 let list (kw:regexp) (sq:string) =
108 let value = store /[^, \t\n=]+/ in
111 ([ seq sq . Util.del_str "," . value])* .
114 let macs = list /MACs/i "MACs"
116 let ciphers = list /Ciphers/i "Ciphers"
118 let kexalgorithms = list /KexAlgorithms/i "KexAlgorithms"
120 let hostkeyalgorithms = list /HostKeyAlgorithms/i "HostKeyAlgorithms"
122 let gssapikexalgorithms = list /GSSAPIKexAlgorithms/i "GSSAPIKexAlgorithms"
124 let casignaturealgorithms = list /CASignatureAlgorithms/i "CASignatureAlgorithms"
126 let pubkeyacceptedkeytypes = list /PubkeyAcceptedKeyTypes/i "PubkeyAcceptedKeyTypes"
128 let pubkeyacceptedalgorithms = list /PubkeyAcceptedAlgorithms/i "PubkeyAcceptedAlgorithms"
130 let entry = accept_env | allow_groups | allow_users
131 | deny_groups | subsystem | deny_users
132 | macs | ciphers | kexalgorithms | hostkeyalgorithms
133 | gssapikexalgorithms | casignaturealgorithms
134 | pubkeyacceptedkeytypes | pubkeyacceptedalgorithms | other_entry
136 let condition_entry =
137 let k = /[A-Za-z0-9]+/ in
138 let no_spc = Quote.do_dquote_opt (store /[^"' \t\n=]+/) in
139 let spc = Quote.do_quote (store /[^"'\t\n]* [^"'\t\n]*/) in
140 [ sep . key k . sep . no_spc ]
141 | [ sep . key k . sep . spc ]
144 [ label "Condition" . condition_entry+ . eol ]
146 let match_entry = indent . (entry | comment_noindent)
150 [ key /Match/i . match_cond
151 . [ label "Settings" . match_entry+ ]
154 let lns = (entry | comment | empty)* . match*
156 let filter = (incl "/etc/ssh/sshd_config" )
157 . ( incl "/etc/ssh/sshd_config.d/*.conf" )
159 let xfm = transform lns filter
161 (* Local Variables: *)