/* SSHSecure - a program to harden OpenSSH from defaults Copyright (C) 2020 Brent Saner This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ package config /* NOTATION KEY: .: Exists in default upstream config (but usually they're commented out) +: These values are/may be modified by this program. *: These values are not in the upstream config but are allowed via the man page (sshd_config(5) and ssh_config(5)). */ // More or less a subset of SshdConf. These are valid keywords for Match blocks in sshd_config. type SshdMatchRule struct { AcceptEnv []string // * AllowAgentForwarding sshBool // . AllowGroups []string // * AllowStreamLocalForwarding string // * AllowTcpForwarding string // . AllowUsers []string // * AuthenticationMethods []string // +* AuthorizedKeysCommand string // . AuthorizedKeysCommandUser string // . AuthorizedKeysFile string // . AuthorizedPrincipalsCommand string // * AuthorizedPrincipalsCommandUser string // * AuthorizedPrincipalsFile string // . Banner string // . ChrootDirectory string // . ClientAliveCountMax int // . ClientAliveInterval int // . DenyGroups []string // * DenyUsers []string // * ForceCommand string // * GatewayPorts string // . GSSAPIAuthentication sshBool // . HostbasedAcceptedKeyTypes []string // * HostbasedAuthentication sshBool // . HostbasedUsesNameFromPacketOnly sshBool // * IgnoreRhosts string // . // Do we handle includes? Or just let sshd -T handle it? Include string // * // Accepts one or two. If two, first is interactive and second is non-interactive. IPQoS [2]string // * KbdInteractiveAuthentication sshBool // * KerberosAuthentication sshBool // . LogLevel string // . MaxAuthTries int // . MaxSessions int // . PasswordAuthentication sshBool // .+ PermitEmptyPasswords sshBool // + PermitListen string // * PermitOpen string // * PermitRootLogin string // .+ PermitTTY sshBool // . PermitTunnel string // . PermitUserRC sshBool // * PubkeyAcceptedKeyTypes []string // * PubkeyAuthentication sshBool // .+ RekeyLimit string // . RevokedKeys string // * RDomain string // * SetEnv map[string]string // * // max is 4095, it goes in the config as an octal. StreamLocalBindMask uint16 // * StreamLocalBindUnlink sshBool // * TrustedUserCAKeys string // * X11DisplayOffset int // . X11Forwarding sshBool // . } // SshdConf represents an /etc/ssh/sshd_config file's directives/values. // Values in SshdMatchRule are not reproduced here. type SshdConf struct { SshdMatchRule AddressFamily string // . CASignatureAlgorithms []string // * ChallengeResponseAuthentication sshBool // .+ Ciphers []string // +* Compression string // . DisableForwarding sshBool // * ExposeAuthInfo sshBool // * FingerprintHash string // * GSSAPICleanupCredentials sshBool // . GSSAPIStrictAcceptorCheck sshBool // * HostCertificate string // * HostKeyAgent string // * HostKeyAlgorithms []string // +* HostKey []string // . IgnoreUserKnownHosts sshBool // . KerberosGetAFSToken sshBool // . KerberosOrLocalPasswd sshBool // . KerberosTicketCleanup sshBool // . KexAlgorithms string // +* ListenAddress ListenAddr // . LoginGraceTime string // . MACs []string // +* Match map[string]string // . MaxStartups string // . PermitUserEnvironment sshBool // . PidFile string // . Port uint16 // . PrintLastLog sshBool // .+ PrintMotd sshBool // . Protocol int // +* PubkeyAuthOptions string // * SecurityKeyProvider string // * StrictModes sshBool // .+ Subsystem string // . SyslogFacility string // . TCPKeepAlive sshBool // . UseDNS sshBool // . UsePAM sshBool // . VersionAddendum string // . X11UseLocalhost sshBool // . XAuthLocation string // * } // SshConf represents an /etc/ssh/ssh_config (or ~/.ssh/config) file type SshConf struct { // These are in the default upstream sshd_config so we don't touch them. (Most, if not all, are commented out.) // We just have them here to parse them. Host map[string]string } type ListenAddr struct { Addr string // hostname|address, hostname:port, IPv4_address:port, or [hostname|address]:port in conf string. Port uint16 RDomain string } type MatchSshd struct { Criteria map[string]string Rules []SshdMatchRule }