From c100fc88a3fbe001281d0d39a335c092186b5e23 Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 10:47:35 -0500 Subject: [PATCH 1/8] allow for "Match" inside of an sshd_config --- openssh/files/sshd_config | 55 +++++++++++++++++++++++---------------- 1 file changed, 33 insertions(+), 22 deletions(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index a3756bc..91e534e 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -2,15 +2,10 @@ {#- present in sshd_config and known in actual file options -#} {%- set processed_options = [] -%} -{#- macros for render option according to present -#} -{%- macro option_impl(keyword, default, present) -%} - {%- if present -%} - {%- do processed_options.append(keyword) -%} - {%- set prefix='' -%} - {%- else -%} - {%- set prefix='#' -%} - {%- endif -%} - {%- set value = sshd_config.get(keyword, default) -%} +{#- generic renderer used for sshd matches, known options, -#} +{#- and unknown options -#} +{%- macro render_option(keyword, default, config_dict=sshd_config) -%} + {%- set value = config_dict.get(keyword, default) -%} {%- if value is sameas true -%} {{ prefix }}{{ keyword }} yes {%- elif value is sameas false -%} @@ -24,6 +19,20 @@ {%- endif -%} {%- endmacro -%} +{#- macros for render option according to present -#} +{%- macro option_impl(keyword, default, present) -%} + {%- if present -%} + {%- do processed_options.append(keyword) -%} + {%- set prefix='' -%} + {%- else -%} + {%- set prefix='#' -%} + {%- endif -%} + {#- add prefix to keyword and/or default -#} + {%- set keyword = prefix ~ default -%} + {%- set default = prefix ~ default -%} +{{ render_option(keyword, default) }} +{%- endmacro -%} + {#- macros for render option commented by default -#} {%- macro option(keyword, default, present) -%} {{ option_impl(keyword, default, keyword in sshd_config) }} @@ -129,18 +138,20 @@ {{ option('UseDNS', 'yes') }} {# Handling unknown in salt template options #} -{%- for keyword, argument in sshd_config.iteritems() %} - {%- if not keyword in processed_options -%} - {%- if argument is sameas true %} -{{ keyword }} yes - {%- elif argument is sameas false %} -{{ keyword }} no - {%- elif argument is string or argument is number %} -{{ keyword }} {{ argument }} - {%- else %} - {%- for item in argument %} -{{ keyword }} {{ item }} - {%- endfor %} - {%- endif %} +{%- for keyword in sshd_config.keys() %} + {#- Matches have to be at the bottem and should be handled differently -#} + {%- if not keyword in processed_options and keyword != 'matches' -%} +{#- send a blank default as it doesn't matter -#} +{{ render_option(keyword, '') }} {%- endif -%} {%- endfor %} + +{# Handle matches last as they need to go at the bottom #} +{%- if 'matches' in sshd_config %} + {%- for match in sshd_config['matches'].values() %} +Match {{ match['type'].keys()[0] match['type'].values()[0] }} + {%- for keyword in match['options'].keys() %} + {{ render_option(keyword, '', config_dict=match['type']) }} + {%- endfor %} + {%- endfor %} +{%- endif %} From ba72c1e8b72588732f825256922457ba3315c8dc Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 10:55:19 -0500 Subject: [PATCH 2/8] remove prefix when not needed --- openssh/files/sshd_config | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 91e534e..642cbb8 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -7,14 +7,14 @@ {%- macro render_option(keyword, default, config_dict=sshd_config) -%} {%- set value = config_dict.get(keyword, default) -%} {%- if value is sameas true -%} -{{ prefix }}{{ keyword }} yes +{{ keyword }} yes {%- elif value is sameas false -%} -{{ prefix }}{{ keyword }} no +{{ keyword }} no {%- elif value is string or value is number -%} -{{ prefix }}{{ keyword }} {{ value }} +{{ keyword }} {{ value }} {%- else -%} {%- for single_value in value -%} -{{ prefix }}{{ keyword }} {{ single_value }} +{{ keyword }} {{ single_value }} {% endfor -%} {%- endif -%} {%- endmacro -%} From abf6e09fbb99e0f24051ac74352814df4b384e7a Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 11:16:58 -0500 Subject: [PATCH 3/8] Fix a typo in the match jinja --- openssh/files/sshd_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 642cbb8..23ab0e2 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -149,7 +149,7 @@ {# Handle matches last as they need to go at the bottom #} {%- if 'matches' in sshd_config %} {%- for match in sshd_config['matches'].values() %} -Match {{ match['type'].keys()[0] match['type'].values()[0] }} +Match {{ match['type'].keys()[0] }} {{ match['type'].values()[0] }} {%- for keyword in match['options'].keys() %} {{ render_option(keyword, '', config_dict=match['type']) }} {%- endfor %} From 85c97b450abf7a6bcba26a4ebe49213341b2ddd1 Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 11:19:37 -0500 Subject: [PATCH 4/8] fix a typo in keywords being sent improperly --- openssh/files/sshd_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 23ab0e2..6d931a4 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -28,7 +28,7 @@ {%- set prefix='#' -%} {%- endif -%} {#- add prefix to keyword and/or default -#} - {%- set keyword = prefix ~ default -%} + {%- set keyword = prefix ~ keyword -%} {%- set default = prefix ~ default -%} {{ render_option(keyword, default) }} {%- endmacro -%} From 1a2de43ed74bb0f075afbb731d195cc1f9824621 Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 11:21:31 -0500 Subject: [PATCH 5/8] defaults do not need a prefix --- openssh/files/sshd_config | 1 - 1 file changed, 1 deletion(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 6d931a4..d289b92 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -29,7 +29,6 @@ {%- endif -%} {#- add prefix to keyword and/or default -#} {%- set keyword = prefix ~ keyword -%} - {%- set default = prefix ~ default -%} {{ render_option(keyword, default) }} {%- endmacro -%} From b24101264f6c13c5d2d907f5fb19be5562ed284d Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 11:26:10 -0500 Subject: [PATCH 6/8] make sure to match options as the options dict! --- openssh/files/sshd_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index d289b92..34ca22f 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -150,7 +150,7 @@ {%- for match in sshd_config['matches'].values() %} Match {{ match['type'].keys()[0] }} {{ match['type'].values()[0] }} {%- for keyword in match['options'].keys() %} - {{ render_option(keyword, '', config_dict=match['type']) }} + {{ render_option(keyword, '', config_dict=match['options']) }} {%- endfor %} {%- endfor %} {%- endif %} From 51277cc2f9d9332946bd96a5b5fbfdee60b42002 Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 11:42:17 -0500 Subject: [PATCH 7/8] add pillar example --- pillar.example | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pillar.example b/pillar.example index 42007da..70ec760 100644 --- a/pillar.example +++ b/pillar.example @@ -30,6 +30,15 @@ sshd_config: Subsystem: "sftp /usr/lib/openssh/sftp-server" UsePAM: 'yes' UseDNS: 'yes' + matches: + sftp_chroot: + type: + Group: sftpusers + options: + ChrootDirectory: /sftp-chroot/%u + X11Forwarding: no + AllowTcpForwarding: no + ForceCommand: internal-sftp openssh: auth: From 8616d3d130fc4943d1b70bb81809a91e0f0a9653 Mon Sep 17 00:00:00 2001 From: Robert Fairburn Date: Fri, 19 Sep 2014 12:01:57 -0500 Subject: [PATCH 8/8] fix comment --- openssh/files/sshd_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 34ca22f..1299a32 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -27,7 +27,7 @@ {%- else -%} {%- set prefix='#' -%} {%- endif -%} - {#- add prefix to keyword and/or default -#} + {#- add prefix to keyword -#} {%- set keyword = prefix ~ keyword -%} {{ render_option(keyword, default) }} {%- endmacro -%}