151 lines
6.7 KiB
Go
151 lines
6.7 KiB
Go
|
/*
|
||
|
SSHSecure - a program to harden OpenSSH from defaults
|
||
|
Copyright (C) 2020 Brent Saner
|
||
|
|
||
|
This program is free software: you can redistribute it and/or modify
|
||
|
it under the terms of the GNU General Public License as published by
|
||
|
the Free Software Foundation, either version 3 of the License, or
|
||
|
(at your option) any later version.
|
||
|
|
||
|
This program is distributed in the hope that it will be useful,
|
||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
GNU General Public License for more details.
|
||
|
|
||
|
You should have received a copy of the GNU General Public License
|
||
|
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||
|
*/
|
||
|
|
||
|
package config
|
||
|
|
||
|
/*
|
||
|
NOTATION KEY:
|
||
|
.: Exists in default upstream config (but usually they're commented out)
|
||
|
+: These values are/may be modified by this program.
|
||
|
*: These values are not in the upstream config but are allowed via the man page (sshd_config(5) and ssh_config(5)).
|
||
|
*/
|
||
|
|
||
|
// More or less a subset of SshdConf. These are valid keywords for Match blocks in sshd_config.
|
||
|
type SshdMatchRule struct {
|
||
|
AcceptEnv []string // *
|
||
|
AllowAgentForwarding sshBool // .
|
||
|
AllowGroups []string // *
|
||
|
AllowStreamLocalForwarding string // *
|
||
|
AllowTcpForwarding string // .
|
||
|
AllowUsers []string // *
|
||
|
AuthenticationMethods []string // +*
|
||
|
AuthorizedKeysCommand string // .
|
||
|
AuthorizedKeysCommandUser string // .
|
||
|
AuthorizedKeysFile string // .
|
||
|
AuthorizedPrincipalsCommand string // *
|
||
|
AuthorizedPrincipalsCommandUser string // *
|
||
|
AuthorizedPrincipalsFile string // .
|
||
|
Banner string // .
|
||
|
ChrootDirectory string // .
|
||
|
ClientAliveCountMax int // .
|
||
|
ClientAliveInterval int // .
|
||
|
DenyGroups []string // *
|
||
|
DenyUsers []string // *
|
||
|
ForceCommand string // *
|
||
|
GatewayPorts string // .
|
||
|
GSSAPIAuthentication sshBool // .
|
||
|
HostbasedAcceptedKeyTypes []string // *
|
||
|
HostbasedAuthentication sshBool // .
|
||
|
HostbasedUsesNameFromPacketOnly sshBool // *
|
||
|
IgnoreRhosts string // .
|
||
|
// Do we handle includes? Or just let sshd -T handle it?
|
||
|
Include string // *
|
||
|
// Accepts one or two. If two, first is interactive and second is non-interactive.
|
||
|
IPQoS [2]string // *
|
||
|
KbdInteractiveAuthentication sshBool // *
|
||
|
KerberosAuthentication sshBool // .
|
||
|
LogLevel string // .
|
||
|
MaxAuthTries int // .
|
||
|
MaxSessions int // .
|
||
|
PasswordAuthentication sshBool // .+
|
||
|
PermitEmptyPasswords sshBool // +
|
||
|
PermitListen string // *
|
||
|
PermitOpen string // *
|
||
|
PermitRootLogin string // .+
|
||
|
PermitTTY sshBool // .
|
||
|
PermitTunnel string // .
|
||
|
PermitUserRC sshBool // *
|
||
|
PubkeyAcceptedKeyTypes []string // *
|
||
|
PubkeyAuthentication sshBool // .+
|
||
|
RekeyLimit string // .
|
||
|
RevokedKeys string // *
|
||
|
RDomain string // *
|
||
|
SetEnv map[string]string // *
|
||
|
// max is 4095, it goes in the config as an octal.
|
||
|
StreamLocalBindMask uint16 // *
|
||
|
StreamLocalBindUnlink sshBool // *
|
||
|
TrustedUserCAKeys string // *
|
||
|
X11DisplayOffset int // .
|
||
|
X11Forwarding sshBool // .
|
||
|
}
|
||
|
|
||
|
// SshdConf represents an /etc/ssh/sshd_config file's directives/values.
|
||
|
// Values in SshdMatchRule are not reproduced here.
|
||
|
type SshdConf struct {
|
||
|
SshdMatchRule
|
||
|
AddressFamily string // .
|
||
|
CASignatureAlgorithms []string // *
|
||
|
ChallengeResponseAuthentication sshBool // .+
|
||
|
Ciphers []string // +*
|
||
|
Compression string // .
|
||
|
DisableForwarding sshBool // *
|
||
|
ExposeAuthInfo sshBool // *
|
||
|
FingerprintHash string // *
|
||
|
GSSAPICleanupCredentials sshBool // .
|
||
|
GSSAPIStrictAcceptorCheck sshBool // *
|
||
|
HostCertificate string // *
|
||
|
HostKeyAgent string // *
|
||
|
HostKeyAlgorithms []string // +*
|
||
|
HostKey []string // .
|
||
|
IgnoreUserKnownHosts sshBool // .
|
||
|
KerberosGetAFSToken sshBool // .
|
||
|
KerberosOrLocalPasswd sshBool // .
|
||
|
KerberosTicketCleanup sshBool // .
|
||
|
KexAlgorithms string // +*
|
||
|
ListenAddress ListenAddr // .
|
||
|
LoginGraceTime string // .
|
||
|
MACs []string // +*
|
||
|
Match map[string]string // .
|
||
|
MaxStartups string // .
|
||
|
PermitUserEnvironment sshBool // .
|
||
|
PidFile string // .
|
||
|
Port uint16 // .
|
||
|
PrintLastLog sshBool // .+
|
||
|
PrintMotd sshBool // .
|
||
|
Protocol int // +*
|
||
|
PubkeyAuthOptions string // *
|
||
|
SecurityKeyProvider string // *
|
||
|
StrictModes sshBool // .+
|
||
|
Subsystem string // .
|
||
|
SyslogFacility string // .
|
||
|
TCPKeepAlive sshBool // .
|
||
|
UseDNS sshBool // .
|
||
|
UsePAM sshBool // .
|
||
|
VersionAddendum string // .
|
||
|
X11UseLocalhost sshBool // .
|
||
|
XAuthLocation string // *
|
||
|
}
|
||
|
|
||
|
// SshConf represents an /etc/ssh/ssh_config (or ~/.ssh/config) file
|
||
|
type SshConf struct {
|
||
|
// These are in the default upstream sshd_config so we don't touch them. (Most, if not all, are commented out.)
|
||
|
// We just have them here to parse them.
|
||
|
Host map[string]string
|
||
|
}
|
||
|
|
||
|
type ListenAddr struct {
|
||
|
Addr string // hostname|address, hostname:port, IPv4_address:port, or [hostname|address]:port in conf string.
|
||
|
Port uint16
|
||
|
RDomain string
|
||
|
}
|
||
|
|
||
|
type MatchSshd struct {
|
||
|
Criteria map[string]string
|
||
|
Rules []SshdMatchRule
|
||
|
}
|