/* SSHSecure - a program to harden OpenSSH from defaults Copyright (C) 2020 Brent Saner This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ package config /* NOTATION KEY: .: Exists in default upstream config (but usually they're commented out) +: These values are/may be modified by this program. *: These values are not in the upstream config but are allowed via the man page (sshd_config(5) and ssh_config(5)). */ // SshdMatchRule is more or less a subset of SshdConf. These are valid keywords for Match blocks in sshd_config. type SshdMatchRule struct { AcceptEnv []string // * AllowAgentForwarding sshBool // . AllowGroups []string // * AllowStreamLocalForwarding string // * AllowTcpForwarding string // . AllowUsers []string // * AuthenticationMethods []string // +* AuthorizedKeysCommand string // . AuthorizedKeysCommandUser string // . AuthorizedKeysFile string // . AuthorizedPrincipalsCommand string // * AuthorizedPrincipalsCommandUser string // * AuthorizedPrincipalsFile string // . Banner string // . ChrootDirectory string // . ClientAliveCountMax int // . ClientAliveInterval int // . DenyGroups []string // * DenyUsers []string // * ForceCommand string // * GatewayPorts string // . GSSAPIAuthentication sshBool // . HostbasedAcceptedKeyTypes []string // *+ HostbasedAuthentication sshBool // . HostbasedUsesNameFromPacketOnly sshBool // * IgnoreRhosts string // . // Do we handle includes? Or just let sshd -T handle it? Include string // * // Accepts one or two. If two, first is interactive and second is non-interactive. IPQoS [2]string // * KbdInteractiveAuthentication sshBool // * KerberosAuthentication sshBool // . LogLevel string // . MaxAuthTries int // . MaxSessions int // . PasswordAuthentication sshBool // .+ PermitEmptyPasswords sshBool // + PermitListen string // * PermitOpen string // * PermitRootLogin string // .+ PermitTTY sshBool // . PermitTunnel string // . PermitUserRC sshBool // * PubkeyAcceptedKeyTypes []string // * PubkeyAuthentication sshBool // .+ RekeyLimit []string // . RevokedKeys string // * RDomain string // * SetEnv sshEnv // * // max is 4095, it goes in the config as an octal. StreamLocalBindMask uint16 // * StreamLocalBindUnlink sshBool // * TrustedUserCAKeys string // * X11DisplayOffset int // . X11Forwarding sshBool // . } // SshdConf represents an /etc/ssh/sshd_config file's directives/values. // Values in SshdMatchRule are not reproduced here. type SshdConf struct { SshdMatchRule AddressFamily string // . CASignatureAlgorithms []string // * ChallengeResponseAuthentication sshBool // .+ Ciphers []string // +* Compression string // . DisableForwarding sshBool // * ExposeAuthInfo sshBool // * FingerprintHash string // * GSSAPICleanupCredentials sshBool // . GSSAPIStrictAcceptorCheck sshBool // * HostCertificate string // * HostKeyAgent string // * HostKeyAlgorithms []string // +* HostKey []string // .+ IgnoreUserKnownHosts sshBool // . KerberosGetAFSToken sshBool // . KerberosOrLocalPasswd sshBool // . KerberosTicketCleanup sshBool // . KexAlgorithms string // +* ListenAddress ListenAddr // . LoginGraceTime string // . MACs []string // +* Match map[string]string // . MaxStartups string // . PermitUserEnvironment sshBool // . PidFile string // . Port []uint16 // . PrintLastLog sshBool // .+ PrintMotd sshBool // . Protocol int // +* PubkeyAuthOptions string // * SecurityKeyProvider string // * StrictModes sshBool // .+ Subsystem string // . SyslogFacility string // . TCPKeepAlive sshBool // . UseDNS sshBool // . UsePAM sshBool // . VersionAddendum string // . X11UseLocalhost sshBool // . XAuthLocation string // * } // ListenAddr is a parsed ListenAddress directive. type ListenAddr struct { Addr string // hostname|address, hostname:port, IPv4_address:port, or [hostname|address]:port in conf string. Port uint16 RDomain string } // MatchSshd is an sshd_config Match block. type MatchSshd struct { Criteria map[string]string Rules []SshdMatchRule } // SshMatchRule is more or less a subset of SshConf. These are valid keywords for Match blocks in sshd_config. type SshMatchRule struct { } // SshConf represents an /etc/ssh/ssh_config (or ~/.ssh/config) file type SshConf struct { AddKeysToAgent string // * AddressFamily string // . BatchMode sshBool // . BindAddress string // * BindInterface string // * CanonicalDomains []string // * CanonicalizeFallbackLocal sshBool // * CanonicalizeHostname sshBool // * CanonicalizeMaxDots uint8 // * CanonicalizePermittedCNAMEs [][2]string // * CASignatureAlgorithms []string // * CertificateFile string // * ChallengeResponseAuthentication sshBool // * CheckHostIP sshBool // .+ Ciphers []string // .+ ClearAllForwardings sshBool // * Compression sshBool // * ConnectionAttempts uint16 // * ConnectTimeout uint16 // . ControlMaster string // * ControlPath string // * ControlPersist string // * EnableSSHKeysign sshBool // * EscapeChar string // . ExitOnForwardFailure sshBool // * FingerprintHash string // * ForwardAgent string // . ForwardXll sshBool // . ForwardX11Timeout string // . ForwardX11Trusted sshBool // * GatewayPorts sshBool // * GlobalKnownHostsFile []string // * GSSAPIAuthentication sshBool // . GSSAPIDelegateCredentials sshBool // . HashKnownHosts sshBool // *+ Host []HostSsh // . HostbasedAuthentication sshBool // . HostbasedKeyTypes []string // *+ HostKeyAlgorithms []string // *+ HostKeyAlias string // * Hostname string // * IdentitiesOnly sshBool // * IdentityAgent string // * IdentityFile []string // . IgnoreUnknown []string // * Include string // * IPQoS string // * KbdInteractiveAuthentication sshBool // * KbdInteractiveDevices []string // * KexAlgorithms []string // * LocalCommand string // * LocalForward [2]string // * } // MatchSsh is an ssh_config Match block. type MatchSsh struct { Criteria map[string]string Rules []SshMatchRule } type HostSsh struct { Hostname string Rules []SshMatchRule }