Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Use comments to match Match blocks in sshd_config instead of conditions #27

Open
Feandil opened this issue Feb 1, 2016 · 0 comments
Open

Feature request: Use comments to match Match blocks in sshd_config instead of conditions #27

Feandil opened this issue Feb 1, 2016 · 0 comments

Comments

@Feandil
Copy link
Contributor

Feandil commented Feb 1, 2016

I'm using puppet to define a dynamic IP-based Match blocks like:

sshd_config { 'AuthenticationMethods root trusted_ips':
  key       => 'AuthenticationMethods',
  condition => "User root Address ${ip_filter}",
  value     => join($methods, ' '),
  notify    => Service['sshd'],
}

Because the provider of this module uses the condition to check if the setting is already present, whenever the ip_filter change, a new Match block is added to the configuration and the previous one is not touched/modified/replaced/removed.

One solution to this problem would be to insert a comment (e.g. equal to the resource name?) and do the match on this comment instead of using the condition itself.

For the record, I'm currently using the following code to achieve what I need:

$trusted_root_methods = join($methods, ' ')
augeas { 'sshd_2fa_trusted_root_insert':
  context => '/files/etc/ssh/sshd_config',
  changes => [
    'set Match[last()+1]/Condition/User root',
    "set Match[last()]/Condition/Address ${ip_filter}",
    'set Match[last()]/Settings/#comment "Multifactor root from trusted ip"',
    "set \$target/Settings/AuthenticationMethods '${trusted_root_methods}'",
  ],
  before  => Augeas['sshd_2fa_trusted_root_verify'],
  onlyif  => 'match */Settings/#comment[. = "Multifactor root from trusted ip"] size == 0',
  notify  => Service['sshd'],
}
augeas { 'sshd_2fa_trusted_root_verify':
  context => '/files/etc/ssh/sshd_config',
  changes => [
    'defnode target */Settings/#comment[. = "Multifactor root from trusted ip"]/../.. "Multifactor root from trusted ip"',
    'rm  $target/Condition',
    'set $target/Condition/User root',
    "set \$target/Condition/Address ${ip_filter}",
    'rm  $target/Settings',
    'set $target/Settings/#comment "Multifactor root from trusted ip"',
    "set \$target/Settings/AuthenticationMethods '${trusted_root_methods}'",
  ],
  onlyif  => 'match */Settings/#comment[. = "Multifactor root from trusted ip"] size != 0',
  notify  => Service['sshd'],
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Feandil