From 8d971b83ba11fc0eb521d9d15e4a2ae281bc2ef5 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 20 Jul 2015 12:03:47 -0400 Subject: Ssh.permitRootLogin type changed to allow configuring WithoutPassword and ForcedCommandsOnly (API change) * Ssh.permitRootLogin type changed to allow configuring WithoutPassword and ForcedCommandsOnly (API change) * setSshdConfig type changed, and setSshdConfigBool added with old type. --- config-joey.hs | 2 +- debian/changelog | 8 ++++++++ src/Propellor/Property/Ssh.hs | 40 ++++++++++++++++++++++++++++++---------- 3 files changed, 39 insertions(+), 11 deletions(-) diff --git a/config-joey.hs b/config-joey.hs index 8b53718a..32b70c14 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -441,7 +441,7 @@ jerryPlay = standardDockerContainer "jerryplay" Unstable "amd64" & Docker.publish "8001:80" & Apt.installed ["ssh"] & User.hasSomePassword (User "root") - & Ssh.permitRootLogin True + & Ssh.permitRootLogin (Ssh.RootLogin True) kiteShellBox :: Systemd.Container kiteShellBox = standardStableContainer "kiteshellbox" diff --git a/debian/changelog b/debian/changelog index 3b20a402..6b411fa2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +propellor (2.7.0) UNRELEASED; urgency=medium + + * Ssh.permitRootLogin type changed to allow configuring WithoutPassword + and ForcedCommandsOnly (API change) + * setSshdConfig type changed, and setSshdConfigBool added with old type. + + -- Joey Hess Mon, 20 Jul 2015 12:01:38 -0400 + propellor (2.6.0) unstable; urgency=medium * Replace String type synonym Docker.Image by a data type diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index 785f2787..fca7d037 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -1,7 +1,10 @@ module Propellor.Property.Ssh ( PubKeyText, sshdConfig, + ConfigKeyword, + setSshdConfigBool, setSshdConfig, + RootLogin(..), permitRootLogin, passwordAuthentication, noPasswords, @@ -28,6 +31,7 @@ import Utility.FileMode import System.PosixCompat import qualified Data.Map as M +import Data.List type PubKeyText = String @@ -38,21 +42,37 @@ sshBool False = "no" sshdConfig :: FilePath sshdConfig = "/etc/ssh/sshd_config" -setSshdConfig :: String -> Bool -> Property NoInfo -setSshdConfig setting allowed = combineProperties "sshd config" - [ sshdConfig `File.lacksLine` (sshline $ not allowed) - , sshdConfig `File.containsLine` (sshline allowed) - ] +type ConfigKeyword = String + +setSshdConfigBool :: ConfigKeyword -> Bool -> Property NoInfo +setSshdConfigBool setting allowed = setSshdConfig setting (sshBool allowed) + +setSshdConfig :: ConfigKeyword -> String -> Property NoInfo +setSshdConfig setting val = File.fileProperty desc f sshdConfig `onChange` restarted - `describe` unwords [ "ssh config:", setting, sshBool allowed ] where - sshline v = setting ++ " " ++ sshBool v + desc = unwords [ "ssh config:", setting, val ] + cfgline = setting ++ " " ++ val + wantedline s + | s == cfgline = True + | (setting ++ " ") `isPrefixOf` s = False + | otherwise = True + f ls + | cfgline `elem` ls = filter wantedline ls + | otherwise = filter wantedline ls ++ [cfgline] + +data RootLogin + = RootLogin Bool -- ^ allow or prevent root login + | WithoutPassword -- ^ disable password authentication for root, while allowing other authentication methods + | ForcedCommandsOnly -- ^ allow root login with public-key authentication, but only if a forced command has been specified for the public key -permitRootLogin :: Bool -> Property NoInfo -permitRootLogin = setSshdConfig "PermitRootLogin" +permitRootLogin :: RootLogin -> Property NoInfo +permitRootLogin (RootLogin b) = setSshdConfigBool "PermitRootLogin" b +permitRootLogin WithoutPassword = setSshdConfig "PermitRootLogin" "without-password" +permitRootLogin ForcedCommandsOnly = setSshdConfig "PermitRootLogin" "forced-commands-only" passwordAuthentication :: Bool -> Property NoInfo -passwordAuthentication = setSshdConfig "PasswordAuthentication" +passwordAuthentication = setSshdConfigBool "PasswordAuthentication" -- | Configure ssh to not allow password logins. -- -- cgit v1.2.3