⭐ introduce sshd.config.blocks #3194
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This introduces support for querying individual blocks in SSHd configs. It's a more direct way of adressing feedback in mondoohq/cnspec-policies#340 by exposing the underlying block entirely, while also supporting aggregate values in the existing params structure. Example: Let's assume we have an existing `/etc/ssh/sshd_config` on our system with a bunch of existing configuration. If we added a new match group at the end of the file like this: ```ini Match Group sftp-users X11Forwarding no PermitRootLogin no AllowTCPForwarding yes ``` We can now query this match block both explicitly and implicitly. Implicitly it's (already) represented in the existing `params` field: ```coffee > sshd.config.params.AllowTcpForwarding "no,yes" ``` In the above example you can see, that we already had this field set above the match block with the value set to `no`. After adding our match group, it was additionally set to `yes`. The field aggregates both values. This implicit access to config values has already existed in MQL as the default behavior. With the new `blocks` field, we are extending implicit match block access to become explicit: ```coffee > sshd.config.blocks sshd.config.blocks: [ 0: sshd.config.matchBlock criteria="" 1: sshd.config.matchBlock criteria="Group sftp-users" ] ``` This first match block is the default block, which is always present. It has no criteria set and applies to everything. The second match block has a `criteria` field that shows it only matches for `Group sftp-users`. You can easily access its configuration: ```coffee > sshd.config.blocks { criteria params } sshd.config.blocks: [ 0: { criteria: "" params: { AllowTcpForwarding: "no" ... } } 1: { criteria: "Group sftp-users" params: { AllowTcpForwarding: "yes" PermitRootLogin: "no" X11Forwarding: "no" } } ] ``` In this example you can see that each block contains its own set of parameters. These are now restricted to the configuration of the block only. Thus the `AllowTcpForwarding` setting is not an aggregate of values anymore, it now only contains the value defined in the block. Added Note: As a consequence of this change we are now also consistently structuring the `Match` field in the `sshd.config.params` structure to behave like all other fields: It combines any match group separated by commas: ```coffee > sshd.config.params.Match sshd.config.params[Match]: "Group sftp-users,User myservice" ``` Signed-off-by: Dominik Richter <[email protected]>
Signed-off-by: Dominik Richter <[email protected]>
Signed-off-by: Dominik Richter <[email protected]>
chris-rock
approved these changes
Feb 5, 2024
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This introduces support for querying individual blocks in SSHd configs. It's a more direct way of adressing feedback in
mondoohq/cnspec-policies#340 by exposing the underlying block entirely, while also supporting aggregate values in the existing params structure.
Example: Let's assume we have an existing
/etc/ssh/sshd_configon our system with a bunch of existing configuration. If we added a new match group at the end of the file like this:We can now query this match block both explicitly and implicitly.
Implicitly it's (already) represented in the existing
paramsfield:In the above example you can see, that we already had this field set above the match block with the value set to
no. After adding our match group, it was additionally set toyes. The field aggregates both values.This implicit access to config values has already existed in MQL as the default behavior.
With the new
blocksfield, we are extending implicit match block access to become explicit:This first match block is the default block, which is always present. It has no criteria set and applies to everything.
The second match block has a
criteriafield that shows it only matches forGroup sftp-users.You can easily access its configuration:
In this example you can see that each block contains its own set of parameters. These are now restricted to the configuration of the block only. Thus the
AllowTcpForwardingsetting is not an aggregate of values anymore, it now only contains the value defined in the block.Added Note: As a consequence of this change we are now also consistently structuring the
Matchfield in thesshd.config.paramsstructure to behave like all other fields: It combines any match group separated by commas: