Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to add Match to /etc/sshd_conf #830

Closed
mburlic opened this issue Apr 10, 2024 · 2 comments
Closed

Unable to add Match to /etc/sshd_conf #830

mburlic opened this issue Apr 10, 2024 · 2 comments

Comments

@mburlic
Copy link

mburlic commented Apr 10, 2024

Unable to add to /etc/sshd_conf with puppet module and 1.14.1 version. Using augtool 1.12.0 works without issues. Thank you for looking at this.

With version 1.12.0 from debian repo everything works fine

root@stroj:~# augtool --version
augtool 1.12.0 <http://augeas.net/>
augtool> set /files/etc/ssh/sshd_config/Match/Condition/Address 192.168.0.3
augtool> set /files/etc/ssh/sshd_config/Match/Condition/User user
augtool> set /files/etc/ssh/sshd_config/Match/Settings/PubkeyAcceptedAlgorithms +ssh-rsa
augtool> save
Saved 1 file(s)

puppet confg gets an error

augeas { 'sshd_allow_rsa':
  incl    => '/etc/ssh/sshd_config',
  lens    => 'Sshd.lns',
  context => '/files/etc/ssh/sshd_config/Match/',
  changes => [
    'set Condition/Address 192.168.0.3',
    'set Condition/User user',
    'set Settings/PubkeyAcceptedAlgorithms +ssh-rsa',
   ],
   notify  => Service['ssh'],

debug run error

Debug: Augeas[sshd_allow_rsa](provider=augeas): sending command 'set' with params ["/files/etc/ssh/sshd_config/Match/Condition/Address", "192.168.0.3"]
Debug: Augeas[sshd_allow_rsa](provider=augeas): sending command 'set' with params ["/files/etc/ssh/sshd_config/Match/Condition/User", "user"]
Debug: Augeas[sshd_allow_rsa](provider=augeas): sending command 'set' with params ["/files/etc/ssh/sshd_config/Match/Settings/PubkeyAcceptedAlgorithms", "+ssh-rsa"]
Debug: Augeas[sshd_allow_rsa](provider=augeas): Put failed on one or more files, output from /augeas//error:
Debug: Augeas[sshd_allow_rsa](provider=augeas): /augeas/files/etc/ssh/sshd_config/error = put_failed
Debug: Augeas[sshd_allow_rsa](provider=augeas): /augeas/files/etc/ssh/sshd_config/error/path = /files/etc/ssh/sshd_config/files/etc/ssh/sshd_config/Match/Settings
Debug: Augeas[sshd_allow_rsa](provider=augeas): /augeas/files/etc/ssh/sshd_config/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/sshd.aug:151.12-.44:
Debug: Augeas[sshd_allow_rsa](provider=augeas): /augeas/files/etc/ssh/sshd_config/error/message = Failed to match tree under /files/etc/ssh/sshd_config/Match/Settings

     { "PubkeyAcceptedAlgorithms" = "+ssh-rsa" }`

Same as trying with version 1.14.1

root@stroj:~# /opt/puppetlabs/puppet/bin/augtool --version
augtool 1.14.1 <http://augeas.net/>
root@stroj:~# /opt/puppetlabs/puppet/bin/augtool 
augtool> set /files/etc/ssh/sshd_config/Match/Condition/Address 192.168.0.3
augtool> set /files/etc/ssh/sshd_config/Match/Condition/User user
augtool> set /files/etc/ssh/sshd_config/Match/Settings/PubkeyAcceptedAlgorithms +ssh-rsa
augtool> save
error: Failed to execute command
saving failed (run 'errors' for details)

Error in /etc/ssh/sshd_config at node /files/etc/ssh/sshd_config/files/etc/ssh/sshd_config/Match/Settings (put_failed)
  Failed to match tree under /files/etc/ssh/sshd_config/Match/Settings

     { "PubkeyAcceptedAlgorithms" = "+ssh-rsa" }

  with pattern
@mburlic mburlic mentioned this issue Apr 10, 2024
Closed
@georgehansper
Copy link
Member

Hello Mihael,

This problem is due to a change made by #806

Prior to this change (1.12.0) the sshd.aug lens expected a simple string value for PubkeyAcceptedAlgorithms

#806 changed PubkeyAcceptedAlgorithms to being a sequential list, eg.

set /files/etc/ssh/sshd_config/Match/Settings/PubkeyAcceptedAlgorithms/1 +ssh-rsa

This brings the parameter PubkeyAcceptedAlgorithms into line with the other parameters in sshd.aug, which are also "lists" of items, like Ciphers KexAlgorithms and HostKeyAlgorithms

eg the 2 lines

KexAlgorithms  +curve25519-sha256,[email protected]
Ciphers [email protected],[email protected],[email protected]

Are transformed into the Augeas paths

/files/etc/ssh/sshd_config/KexAlgorithms
/files/etc/ssh/sshd_config/KexAlgorithms/1 = "+curve25519-sha256"
/files/etc/ssh/sshd_config/KexAlgorithms/2 = "[email protected]"
/files/etc/ssh/sshd_config/Ciphers
/files/etc/ssh/sshd_config/Ciphers/1 = "[email protected]"
/files/etc/ssh/sshd_config/Ciphers/2 = "[email protected]"
/files/etc/ssh/sshd_config/Ciphers/3 = "[email protected]"

where each element of the list has a separate path

While this change may seem a bit arbitrary, it does make it easier to make smaller, idempotent changes to the sshd_config

eg. to append the value ssh-rsa if it does not already exist:

set /files/etc/ssh/sshd_config/Match/Settings/PubkeyAcceptedAlgorithms/seq::*[.="ssh-rsa"] ssh-rsa

Any existing entries in the list remain unchanged

Unfortunately, the optional leading prefix + or - or ^ is not handled separately by the existing sshd.aug lens

@mburlic
Copy link
Author

mburlic commented Apr 23, 2024

That's it! Than you for your time and for your detailed answer.

@mburlic mburlic closed this as completed Apr 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@georgehansper @mburlic