particle-os/debian-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sshd.config stage: support PermitRootLogin option

Browse source 
Add support for `PermitRootLogin` option in the
`org.osbuild.sshd.config` stage.

I kept the "yes" and "no" values for consistency with other stage
options. While it will make the implementation in osbuild-composer
harder, it won't be impossible as we already have a precedence for doing
it this way (e.g. in the `org.osbuild.pam.limits.conf`).

Modify the stage unit tests to check the new option.

Remove the empty `org.osbuild.sshd.config` stage from `a.mpp.json`
since it does not add any value and it actually made the `tree-diff`
tool provide a weird tree diff results.

Fix #910

Signed-off-by: Tomas Hozza <thozza@redhat.com>
This commit is contained in:
Tomas Hozza 2021-12-06 14:53:22 +01:00 committed by mergify[bot]
parent 60066ee927
commit 0df902d6bb
6 changed files with 27 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

18
stages/org.osbuild.sshd.config
View file

@ -33,6 +33,18 @@ SCHEMA = """
"ClientAliveInterval": { "ClientAliveInterval": {
"description": "Number of seconds between keep-alive pings. 0 disables it.", "description": "Number of seconds between keep-alive pings. 0 disables it.",
"type": "integer" "type": "integer"
},
"PermitRootLogin": {
"description": "Specifies whether root can log in using ssh.",
"oneOf": [
{
"enum": ["prohibit-password", "forced-commands-only"],
"type": "string"
},
{
"type": "boolean"
}
]
} }
} }
} }
@ -51,6 +63,7 @@ def main(tree, options):
password_auth = sshd_config.get("PasswordAuthentication") password_auth = sshd_config.get("PasswordAuthentication")
challenge_response_auth = sshd_config.get("ChallengeResponseAuthentication") challenge_response_auth = sshd_config.get("ChallengeResponseAuthentication")
client_alive_interval = sshd_config.get("ClientAliveInterval") client_alive_interval = sshd_config.get("ClientAliveInterval")
permit_root_login = sshd_config.get("PermitRootLogin")
changes = {} changes = {}
if password_auth is not None: if password_auth is not None:
changes["passwordauthentication"] = { changes["passwordauthentication"] = {
@ -67,6 +80,11 @@ def main(tree, options):
"key": "ClientAliveInterval", "key": "ClientAliveInterval",
"value": client_alive_interval "value": client_alive_interval
} }
if permit_root_login is not None:
changes["permitrootlogin"] = {
"key": "PermitRootLogin",
"value": bool_to_yes_no(permit_root_login) if isinstance(permit_root_login, bool) else permit_root_login
}
# For each of the configured options, find the first non-commented out instance # For each of the configured options, find the first non-commented out instance
# of the option and replace it (if necessary). If it does not already exist, append # of the option and replace it (if necessary). If it does not already exist, append

3
test/data/stages/sshd.config/a.json
View file

@ -455,9 +455,6 @@
"sha256:0ebe43a9bef7ec2dc4cb98350fbde2e55dae886f905e2d9cea837da3fb613c87" "sha256:0ebe43a9bef7ec2dc4cb98350fbde2e55dae886f905e2d9cea837da3fb613c87"
] ]
} }
},
{
"name": "org.osbuild.sshd.config"
} }
] ]
}, },

3
test/data/stages/sshd.config/a.mpp.json
View file

@ -28,9 +28,6 @@
] ]
} }
} }
},
{
"name": "org.osbuild.sshd.config"
} }
] ]
} }

6
test/data/stages/sshd.config/b.json
View file

@ -462,7 +462,8 @@
"config": { "config": {
"PasswordAuthentication": false, "PasswordAuthentication": false,
"ChallengeResponseAuthentication": false, "ChallengeResponseAuthentication": false,
"ClientAliveInterval": 180 "ClientAliveInterval": 180,
"PermitRootLogin": "forced-commands-only"
} }
} }
}, },
@ -472,7 +473,8 @@
"config": { "config": {
"PasswordAuthentication": false, "PasswordAuthentication": false,
"ChallengeResponseAuthentication": true, "ChallengeResponseAuthentication": true,
"ClientAliveInterval": 200 "ClientAliveInterval": 200,
"PermitRootLogin": false
} }
} }
} }

6
test/data/stages/sshd.config/b.mpp.json
View file

@ -35,7 +35,8 @@
"config": { "config": {
"PasswordAuthentication": false, "PasswordAuthentication": false,
"ChallengeResponseAuthentication": false, "ChallengeResponseAuthentication": false,
"ClientAliveInterval": 180 "ClientAliveInterval": 180,
"PermitRootLogin": "forced-commands-only"
} }
} }
}, },
@ -45,7 +46,8 @@
"config": { "config": {
"PasswordAuthentication": false, "PasswordAuthentication": false,
"ChallengeResponseAuthentication": true, "ChallengeResponseAuthentication": true,
"ClientAliveInterval": 200 "ClientAliveInterval": 200,
"PermitRootLogin": false
} }
} }
} }

20
test/data/stages/sshd.config/diff.json
View file

@ -5,25 +5,7 @@
"/etc/ssh/sshd_config": { "/etc/ssh/sshd_config": {
"content": [ "content": [
"sha256:1042f1b0e644ed40eef54614a3a8108b534f41beb2d210545a2bac5cbd8187b7", "sha256:1042f1b0e644ed40eef54614a3a8108b534f41beb2d210545a2bac5cbd8187b7",
"sha256:a995ff3d4c7c89987c210207d109a86815334f58bea30ccfea1c175fe8f12b76" "sha256:3c4833fc340eb78f5002a628dee13203eb0ca26fdb4394dc29a7d2f902f66723"
]
},
"/etc/pki/ca-trust/extracted/java/cacerts": {
"content": [
null,
null
]
},
"/var/cache/ldconfig/aux-cache": {
"content": [
null,
null
]
},
"/var/lib/rpm/rpmdb.sqlite": {
"content": [
null,
null
] ]
} }
} }