search

hercules-team / augeas

A configuration editing tool and API
http://augeas.net/
GNU Lesser General Public License v2.1
486 stars 199 forks source link

Unable to add Match to /etc/sshd_conf #830

Closed mburlic closed 7 months ago

mburlic commented 7 months ago

Unable to add to /etc/sshd_conf with puppet module and 1.14.1 version. Using augtool 1.12.0 works without issues. Thank you for looking at this.

With version 1.12.0 from debian repo everything works fine

root@stroj:~# augtool --version
augtool 1.12.0 <http://augeas.net/>
augtool> set /files/etc/ssh/sshd_config/Match/Condition/Address 192.168.0.3
augtool> set /files/etc/ssh/sshd_config/Match/Condition/User user
augtool> set /files/etc/ssh/sshd_config/Match/Settings/PubkeyAcceptedAlgorithms +ssh-rsa
augtool> save
Saved 1 file(s)

puppet confg gets an error

augeas { 'sshd_allow_rsa':
  incl    => '/etc/ssh/sshd_config',
  lens    => 'Sshd.lns',
  context => '/files/etc/ssh/sshd_config/Match/',
  changes => [
    'set Condition/Address 192.168.0.3',
    'set Condition/User user',
    'set Settings/PubkeyAcceptedAlgorithms +ssh-rsa',
   ],
   notify  => Service['ssh'],

debug run error

Debug: Augeas[sshd_allow_rsa](provider=augeas): sending command 'set' with params ["/files/etc/ssh/sshd_config/Match/Condition/Address", "192.168.0.3"]
Debug: Augeas[sshd_allow_rsa](provider=augeas): sending command 'set' with params ["/files/etc/ssh/sshd_config/Match/Condition/User", "user"]
Debug: Augeas[sshd_allow_rsa](provider=augeas): sending command 'set' with params ["/files/etc/ssh/sshd_config/Match/Settings/PubkeyAcceptedAlgorithms", "+ssh-rsa"]
Debug: Augeas[sshd_allow_rsa](provider=augeas): Put failed on one or more files, output from /augeas//error:
Debug: Augeas[sshd_allow_rsa](provider=augeas): /augeas/files/etc/ssh/sshd_config/error = put_failed
Debug: Augeas[sshd_allow_rsa](provider=augeas): /augeas/files/etc/ssh/sshd_config/error/path = /files/etc/ssh/sshd_config/files/etc/ssh/sshd_config/Match/Settings
Debug: Augeas[sshd_allow_rsa](provider=augeas): /augeas/files/etc/ssh/sshd_config/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/sshd.aug:151.12-.44:
Debug: Augeas[sshd_allow_rsa](provider=augeas): /augeas/files/etc/ssh/sshd_config/error/message = Failed to match tree under /files/etc/ssh/sshd_config/Match/Settings

     { "PubkeyAcceptedAlgorithms" = "+ssh-rsa" }`

Same as trying with version 1.14.1

root@stroj:~# /opt/puppetlabs/puppet/bin/augtool --version
augtool 1.14.1 <http://augeas.net/>
root@stroj:~# /opt/puppetlabs/puppet/bin/augtool 
augtool> set /files/etc/ssh/sshd_config/Match/Condition/Address 192.168.0.3
augtool> set /files/etc/ssh/sshd_config/Match/Condition/User user
augtool> set /files/etc/ssh/sshd_config/Match/Settings/PubkeyAcceptedAlgorithms +ssh-rsa
augtool> save
error: Failed to execute command
saving failed (run 'errors' for details)
Error in /etc/ssh/sshd_config at node /files/etc/ssh/sshd_config/files/etc/ssh/sshd_config/Match/Settings (put_failed)
  Failed to match tree under /files/etc/ssh/sshd_config/Match/Settings

     { "PubkeyAcceptedAlgorithms" = "+ssh-rsa" }

  with pattern
georgehansper commented 7 months ago

Hello Mihael,

This problem is due to a change made by #806

Prior to this change (1.12.0) the sshd.aug lens expected a simple string value for PubkeyAcceptedAlgorithms

806 changed PubkeyAcceptedAlgorithms to being a sequential list, eg.

set /files/etc/ssh/sshd_config/Match/Settings/PubkeyAcceptedAlgorithms/1 +ssh-rsa

This brings the parameter PubkeyAcceptedAlgorithms into line with the other parameters in sshd.aug, which are also "lists" of items, like Ciphers KexAlgorithms and HostKeyAlgorithms

eg the 2 lines

KexAlgorithms  +curve25519-sha256,curve25519-sha256@libssh.org
Ciphers aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

Are transformed into the Augeas paths

/files/etc/ssh/sshd_config/KexAlgorithms
/files/etc/ssh/sshd_config/KexAlgorithms/1 = "+curve25519-sha256"
/files/etc/ssh/sshd_config/KexAlgorithms/2 = "curve25519-sha256@libssh.org"
/files/etc/ssh/sshd_config/Ciphers
/files/etc/ssh/sshd_config/Ciphers/1 = "aes128-gcm@openssh.com"
/files/etc/ssh/sshd_config/Ciphers/2 = "aes256-gcm@openssh.com"
/files/etc/ssh/sshd_config/Ciphers/3 = "chacha20-poly1305@openssh.com"

where each element of the list has a separate path

While this change may seem a bit arbitrary, it does make it easier to make smaller, idempotent changes to the sshd_config

eg. to append the value ssh-rsa if it does not already exist:

set /files/etc/ssh/sshd_config/Match/Settings/PubkeyAcceptedAlgorithms/seq::*[.="ssh-rsa"] ssh-rsa

Any existing entries in the list remain unchanged

Unfortunately, the optional leading prefix + or - or ^ is not handled separately by the existing sshd.aug lens

mburlic commented 7 months ago

That's it! Than you for your time and for your detailed answer.