I am trying to manage the "Match User" and "Match Group" sections in
sshd_config.
I am not sure what I don't have quite right.
It works if I have only one section, but when I try to manage multiple
sections it doesnt work.
I get warnings on the first pass with the delete sections, because they
don't exist yet.
$ cf-agent -KIf ./sshd_sftponly.cf
!! The promised line insertion ( ChrootDirectory /sftp-jail/%u)
could not select an edit region in /tmp/sshd_config
I: Report relates to a promise with handle ""
I: Made in version 'not specified' of './sshd_sftponly.cf' near line 62
!! The promised line insertion ( ForceCommand internal-sftp) could
not select an edit region in /tmp/sshd_config
I: Report relates to a promise with handle ""
I: Made in version 'not specified' of './sshd_sftponly.cf' near line 62
-> Edited file /tmp/sshd_config
!! The promised line insertion ( ChrootDirectory /sftp-jail/%u)
could not select an edit region in /tmp/sshd_config
I: Report relates to a promise with handle ""
I: Made in version 'not specified' of './sshd_sftponly.cf' near line 90
!! The promised line insertion ( ForceCommand internal-sftp) could
not select an edit region in /tmp/sshd_config
I: Report relates to a promise with handle ""
I: Made in version 'not specified' of './sshd_sftponly.cf' near line 90
-> Edited file /tmp/sshd_config
and it adds the sections to the config
$ cat /tmp/sshd_config
Match User restricteduser
Match Group sftponly
on the second execution I get no errors
$ cf-agent -KIf ./sshd_sftponly.cf
-> Edited file /tmp/sshd_config
but only one section is edited.
$ cat /tmp/sshd_config
Match User restricteduser
Match Group sftponly
ChrootDirectory /sftp-jail/%u
ForceCommand internal-sftp
--
Nick Anderson <[email protected]>
body common control {
bundlesequence => {
"main",
};
inputs => {
"cfengine_stdlib.cf",
};
}
bundle agent main {
methods:
"any" usebundle => test;
}
bundle agent test {
vars:
"restricted_user_ssh[ChrootDirectory]" string => "/sftp-jail/%u";
"restricted_user_ssh[ForceCommand]" string => "internal-sftp";
"sftponly_group_ssh[ChrootDirectory]" string => "/sftp-jail/%u";
"sftponly_group_ssh[ForceCommand]" string => "internal-sftp";
files:
"/tmp/sshd_config"
create => "true",
edit_line => set_config_values_sshd_match_user("restricteduser",
"test.restricted_user_ssh");
"/tmp/sshd_config"
create => "true",
edit_line => set_config_values_sshd_match_group("sftponly",
"test.sftponly_group_ssh");
}
bundle edit_line set_config_values_sshd_match_user(user, settings) {
# This bundle only manages settings that it is given, it does not remove
# extraneous settings in the section
vars:
"settings_index" slist => getindices("$(settings)");
"line" string => "Match User $(user)";
"cline" string => canonify("$(line)");
replace_patterns:
"^(?!$(line))Match\s*User\s*$(user)$"
replace_with => value("Match User $(user)"),
comment => "Make sure there is consistency in form",
classes => always("replace_done_$(cline)");
insert_lines:
"$(line)"
ifvarclass => "replace_done_$(cline)";
delete_lines:
"\s*$(settings_index).*"
select_region => sshd_config_match_user("$(user)");
insert_lines:
" $(settings_index) $($(this.settings)[$(this.settings_index)])",
select_region => sshd_config_match_user("$(user)");
}
bundle edit_line set_config_values_sshd_match_group(group, settings) {
# This bundle only manages settings that it is given, it does not remove
# extraneous settings in the section
vars:
"settings_index" slist => getindices("$(settings)");
"line" string => "Match Group $(group)";
"cline" string => canonify("$(line)");
replace_patterns:
"^(?!$(line))Match\s*Group\s*$(group)$"
replace_with => value("Match Group $(group)"),
comment => "Make sure there is consistency in form",
classes => always("replace_done_$(cline)");
insert_lines:
"$(line)"
ifvarclass => "replace_done_$(cline)";
delete_lines:
"\s*$(settings_index).*"
select_region => sshd_config_match_group("$(group)");
insert_lines:
" $(settings_index) $($(this.settings)[$(this.settings_index)])",
select_region => sshd_config_match_group("$(group)");
}
body select_region sshd_config_match_user (x) {
select_start => "^Match\s*User\s*$(x)";
select_end => "^Match\s*";
include_start_delimiter => "true";
include_end_delimiter => "false";
}
body select_region sshd_config_match_group (x) {
select_start => "^Match\s*Group\s*$(x)";
select_end => "^Match\s*";
include_start_delimiter => "true";
include_end_delimiter => "false";
}
_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine
