Page MenuHomePhabricator

Switch to multi node configuration for additional SSH options introduced in 1.2.x
Closed, ResolvedPublicFEATURE REQUEST

Description

As written in T631 and T122 the SSH option syntax can be improved by moving from a comma separated list to a multi node implementation. This in addition makes adding/removing members to e.g. (Allow|Deny)Users or (Allow|Deny)Groups easier.

The new configuration syntax suggested is:

ssh {
    access-control {
        allow {
            group admin
            group sudo
            user admin1
            user foo
            user bar
        }
        deny {
            group parttimeadmin
            user user192
        }
    }
    port 22
}

In addition configuration of the key exchange mechanism, MAC and cipher has been added. Currently only one KEYX, MAC and Cipher can be added whereas OpenSSHd allows multiple of them.

The change is quiet trivial after T631 is integrated but it's a configuration break so @syncer @dmbaturin @alainlamar please advise.

@alainlamar is the initial author.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

c-po created this task.May 12 2018, 6:53 PM
c-po added a comment.May 13 2018, 12:21 PM

Implementation for this task is ready, only awaiting a decission.

https://github.com/c-po/vyos-1x/commits/t632-ssh-multi-nodes

c-po moved this task from In Progress to Finished on the VyOS 1.2 Crux board.May 15 2018, 7:59 PM

Merged as discussed via slack

pasik added a subscriber: pasik.May 15 2018, 9:54 PM
syncer triaged this task as Normal priority.May 27 2018, 9:43 AM
c-po closed this task as Resolved.Sep 1 2018, 9:37 AM