SSHSecure/config/struct.go

151 lines
6.7 KiB
Go
Raw Normal View History

/*
SSHSecure - a program to harden OpenSSH from defaults
Copyright (C) 2020 Brent Saner
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
package config
/*
NOTATION KEY:
.: Exists in default upstream config (but usually they're commented out)
+: These values are/may be modified by this program.
*: These values are not in the upstream config but are allowed via the man page (sshd_config(5) and ssh_config(5)).
*/
// More or less a subset of SshdConf. These are valid keywords for Match blocks in sshd_config.
type SshdMatchRule struct {
AcceptEnv []string // *
AllowAgentForwarding sshBool // .
AllowGroups []string // *
AllowStreamLocalForwarding string // *
AllowTcpForwarding string // .
AllowUsers []string // *
AuthenticationMethods []string // +*
AuthorizedKeysCommand string // .
AuthorizedKeysCommandUser string // .
AuthorizedKeysFile string // .
AuthorizedPrincipalsCommand string // *
AuthorizedPrincipalsCommandUser string // *
AuthorizedPrincipalsFile string // .
Banner string // .
ChrootDirectory string // .
ClientAliveCountMax int // .
ClientAliveInterval int // .
DenyGroups []string // *
DenyUsers []string // *
ForceCommand string // *
GatewayPorts string // .
GSSAPIAuthentication sshBool // .
HostbasedAcceptedKeyTypes []string // *
HostbasedAuthentication sshBool // .
HostbasedUsesNameFromPacketOnly sshBool // *
IgnoreRhosts string // .
// Do we handle includes? Or just let sshd -T handle it?
Include string // *
// Accepts one or two. If two, first is interactive and second is non-interactive.
IPQoS [2]string // *
KbdInteractiveAuthentication sshBool // *
KerberosAuthentication sshBool // .
LogLevel string // .
MaxAuthTries int // .
MaxSessions int // .
PasswordAuthentication sshBool // .+
PermitEmptyPasswords sshBool // +
PermitListen string // *
PermitOpen string // *
PermitRootLogin string // .+
PermitTTY sshBool // .
PermitTunnel string // .
PermitUserRC sshBool // *
PubkeyAcceptedKeyTypes []string // *
PubkeyAuthentication sshBool // .+
RekeyLimit string // .
RevokedKeys string // *
RDomain string // *
SetEnv map[string]string // *
// max is 4095, it goes in the config as an octal.
StreamLocalBindMask uint16 // *
StreamLocalBindUnlink sshBool // *
TrustedUserCAKeys string // *
X11DisplayOffset int // .
X11Forwarding sshBool // .
}
// SshdConf represents an /etc/ssh/sshd_config file's directives/values.
// Values in SshdMatchRule are not reproduced here.
type SshdConf struct {
SshdMatchRule
AddressFamily string // .
CASignatureAlgorithms []string // *
ChallengeResponseAuthentication sshBool // .+
Ciphers []string // +*
Compression string // .
DisableForwarding sshBool // *
ExposeAuthInfo sshBool // *
FingerprintHash string // *
GSSAPICleanupCredentials sshBool // .
GSSAPIStrictAcceptorCheck sshBool // *
HostCertificate string // *
HostKeyAgent string // *
HostKeyAlgorithms []string // +*
HostKey []string // .
IgnoreUserKnownHosts sshBool // .
KerberosGetAFSToken sshBool // .
KerberosOrLocalPasswd sshBool // .
KerberosTicketCleanup sshBool // .
KexAlgorithms string // +*
ListenAddress ListenAddr // .
LoginGraceTime string // .
MACs []string // +*
Match map[string]string // .
MaxStartups string // .
PermitUserEnvironment sshBool // .
PidFile string // .
Port uint16 // .
PrintLastLog sshBool // .+
PrintMotd sshBool // .
Protocol int // +*
PubkeyAuthOptions string // *
SecurityKeyProvider string // *
StrictModes sshBool // .+
Subsystem string // .
SyslogFacility string // .
TCPKeepAlive sshBool // .
UseDNS sshBool // .
UsePAM sshBool // .
VersionAddendum string // .
X11UseLocalhost sshBool // .
XAuthLocation string // *
}
// SshConf represents an /etc/ssh/ssh_config (or ~/.ssh/config) file
type SshConf struct {
// These are in the default upstream sshd_config so we don't touch them. (Most, if not all, are commented out.)
// We just have them here to parse them.
Host map[string]string
}
type ListenAddr struct {
Addr string // hostname|address, hostname:port, IPv4_address:port, or [hostname|address]:port in conf string.
Port uint16
RDomain string
}
type MatchSshd struct {
Criteria map[string]string
Rules []SshdMatchRule
}