Skip to content

Commit

Permalink
Merge pull request #1767 from jrha/cleanup-ssh
Browse files Browse the repository at this point in the history
ncm-ssh: Cleanup pan templates
  • Loading branch information
jrha authored Dec 5, 2024
2 parents 934cfac + 4001143 commit 124f057
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 25 deletions.
4 changes: 2 additions & 2 deletions ncm-ssh/src/main/pan/components/ssh/schema-5.3.pan
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@
declaration template components/ssh/schema-5.3;

type ssh_authkeyscommand_options_type = {
"AuthorizedKeysCommand" ? string
"AuthorizedKeysCommandRunAs" ? string
"AuthorizedKeysCommand" ? string
"AuthorizedKeysCommandRunAs" ? string
};
68 changes: 46 additions & 22 deletions ncm-ssh/src/main/pan/components/ssh/schema.pan
Original file line number Diff line number Diff line change
Expand Up @@ -12,18 +12,26 @@ variable SSH_SCHEMA_VERSION ?= '5.3';

include 'components/ssh/schema-' + SSH_SCHEMA_VERSION;

type ssh_preferred_authentication = string with match(SELF, '^(gssapi-with-mic|hostbased|publickey' +
'|keyboard-interactive|password)$');

type ssh_preferred_authentication = choice(
'gssapi-with-mic',
'hostbased',
'keyboard-interactive',
'password',
'publickey'
);

type ssh_ciphers = string with is_valid_ssh_cipher(SELF);
type ssh_hostkeyalgorithms = string with match(SELF, "^(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp(256|384|521)" +
"(ssh-rsa-cert-v01|ssh-dss-cert-v01|ecdsa-sha2-nistp256-cert-v01|ecdsa-sha2-nistp384-cert-v01|" +
"|ecdsa-sha2-nistp521-cert-v01|ssh-rsa-cert-v00|ssh-dss-cert-v00|ssh-ed25519-cert-v01)@openssh.com)$");
type ssh_kbdinteractivedevices = string with match (SELF, "^(bsdauth|pam|skey)$");
type ssh_kexalgorithms = string with match (SELF, "^(diffie-hellman-group-exchange-sha256|" +
"ecdh-sha2-nistp(256|384|521)|[email protected])$");

type ssh_kexalgorithms = choice(
'diffie-hellman-group-exchange-sha256',
'ecdh-sha2-nistp256',
'ecdh-sha2-nistp384',
'ecdh-sha2-nistp521',
'[email protected]'
);

type ssh_MACs = string with is_valid_ssh_MAC(SELF);

type ssh_gssapikexalgorithms = choice(
'gss-gex-sha1-',
'gss-group1-sha1-',
Expand All @@ -35,17 +43,32 @@ type ssh_gssapikexalgorithms = choice(
);

function is_valid_ssh_MAC = {
match(ARGV[0], "^(hmac-(sha2-256|sha2-512|ripemd160)|(hmac-ripemd160|umac-64|umac-128|hmac-sha2-256-etm" +
"|hmac-sha2-512-etm|hmac-ripemd160-etm|umac-64-etm|umac-128-etm)@openssh.com)$");
valid_options = list(
'hmac-ripemd160',
'[email protected]',
'[email protected]',
'hmac-sha2-256',
'[email protected]',
'hmac-sha2-512',
'[email protected]',
'[email protected]',
'[email protected]',
'[email protected]',
'[email protected]',
);
index(ARGV[0], valid_options) >= 0;
};

function is_valid_ssh_cipher = {
match (ARGV[0], "^((aes128|aes192|aes256)-ctr|(aes128-gcm|aes256-gcm|chacha20-poly1305)@openssh.com)$");
};

function is_valid_ssh_kexalgorithm = {
match (ARGV[0], "^(diffie-hellman-group-exchange-sha256|ecdh-sha2-nistp(256|384|521)|" +
"[email protected])$");
valid_options = list(
'aes128-ctr',
'aes192-ctr',
'aes256-ctr',
'[email protected]',
'[email protected]',
'[email protected]',
);
index(ARGV[0], valid_options) >= 0;
};

type legacy_ssh_MACs = string with {
Expand Down Expand Up @@ -76,17 +99,17 @@ type legacy_ssh_kexalgorithm = string with {
};

type ssh_core_options_type = {
"AddressFamily" ? string with match (SELF, '^(any|inet6?)$')
"AddressFamily" ? choice('any', 'inet', 'inet6')
"ChallengeResponseAuthentication" ? legacy_binary_affirmation_string
"Ciphers" ? legacy_ssh_ciphers
"Compression" ? string with match (SELF, '^(yes|delayed|no)$')
"Compression" ? choice('yes', 'delayed', 'no')
"GSSAPIAuthentication" ? legacy_binary_affirmation_string
"GSSAPICleanupCredentials" ? legacy_binary_affirmation_string
"GSSAPIKexAlgorithms" ? ssh_gssapikexalgorithms[1..]
"GSSAPIKeyExchange" ? legacy_binary_affirmation_string
"GatewayPorts" ? legacy_binary_affirmation_string
"HostbasedAuthentication" ? legacy_binary_affirmation_string
"LogLevel" ? string with match (SELF, '^(QUIET|FATAL|ERROR|INFO|VERBOSE|DEBUG[123]?)$')
"LogLevel" ? choice('QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG1', 'DEBUG2', 'DEBUG3')
"MACs" ? legacy_ssh_MACs
"PasswordAuthentication" ? legacy_binary_affirmation_string
"Protocol" ? string
Expand Down Expand Up @@ -150,7 +173,7 @@ type ssh_daemon_options_type = {
};
true;
}
"PermitTunnel" ? string with match (SELF, '^(yes|point-to-point|ethernet|no)$')
"PermitTunnel" ? choice('yes', 'point-to-point', 'ethernet', 'no')
"PermitUserEnvironment" ? legacy_binary_affirmation_string
"PidFile" ? string
"Port" ? long
Expand All @@ -168,7 +191,8 @@ type ssh_daemon_options_type = {
"StrictModes" ? legacy_binary_affirmation_string
"Subsystem" ? string
"SyslogFacility" ? string with match (SELF,
'^(AUTH(PRIV)?|DAEMON|USER|KERN|UUCP|NEWS|MAIL|SYSLOG|LPR|FTP|CRON|LOCAL[0-7])$')
'^(AUTH(PRIV)?|DAEMON|USER|KERN|UUCP|NEWS|MAIL|SYSLOG|LPR|FTP|CRON|LOCAL[0-7])$'
)
"TcpRcvBuf" ? long
"TcpRcvBufPoll" ? legacy_binary_affirmation_string
"UseDNS" ? legacy_binary_affirmation_string
Expand Down
2 changes: 1 addition & 1 deletion ncm-ssh/src/test/resources/ssh_simple.pan
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,5 @@ prefix "/software/components/ssh/daemon/comment_options";
"Banner" = "Foobar";

prefix "/software/components/ssh/client/options";
"PreferredAuthentications" = list('gssapi-with-mic','hostbased','publickey');
"PreferredAuthentications" = list('gssapi-with-mic', 'hostbased', 'publickey');
"Port" = 22222;

0 comments on commit 124f057

Please sign in to comment.