217 lines
9.3 KiB
Go
217 lines
9.3 KiB
Go
/*
|
|
SSHSecure - a program to harden OpenSSH from defaults
|
|
Copyright (C) 2020 Brent Saner
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
package config
|
|
|
|
/*
|
|
NOTATION KEY:
|
|
.: Exists in default upstream config (but usually they're commented out)
|
|
+: These values are/may be modified by this program.
|
|
*: These values are not in the upstream config but are allowed via the man page (sshd_config(5) and ssh_config(5)).
|
|
*/
|
|
|
|
// SshdMatchRule is more or less a subset of SshdConf. These are valid keywords for Match blocks in sshd_config.
|
|
type SshdMatchRule struct {
|
|
AcceptEnv []string // *
|
|
AllowAgentForwarding sshBool // .
|
|
AllowGroups []string // *
|
|
AllowStreamLocalForwarding string // *
|
|
AllowTcpForwarding string // .
|
|
AllowUsers []string // *
|
|
AuthenticationMethods []string // +*
|
|
AuthorizedKeysCommand string // .
|
|
AuthorizedKeysCommandUser string // .
|
|
AuthorizedKeysFile string // .
|
|
AuthorizedPrincipalsCommand string // *
|
|
AuthorizedPrincipalsCommandUser string // *
|
|
AuthorizedPrincipalsFile string // .
|
|
Banner string // .
|
|
ChrootDirectory string // .
|
|
ClientAliveCountMax int // .
|
|
ClientAliveInterval int // .
|
|
DenyGroups []string // *
|
|
DenyUsers []string // *
|
|
ForceCommand string // *
|
|
GatewayPorts string // .
|
|
GSSAPIAuthentication sshBool // .
|
|
HostbasedAcceptedKeyTypes []string // *+
|
|
HostbasedAuthentication sshBool // .
|
|
HostbasedUsesNameFromPacketOnly sshBool // *
|
|
IgnoreRhosts string // .
|
|
// Do we handle includes? Or just let sshd -T handle it?
|
|
Include string // *
|
|
// Accepts one or two. If two, first is interactive and second is non-interactive.
|
|
IPQoS [2]string // *
|
|
KbdInteractiveAuthentication sshBool // *
|
|
KerberosAuthentication sshBool // .
|
|
LogLevel string // .
|
|
MaxAuthTries int // .
|
|
MaxSessions int // .
|
|
PasswordAuthentication sshBool // .+
|
|
PermitEmptyPasswords sshBool // +
|
|
PermitListen string // *
|
|
PermitOpen string // *
|
|
PermitRootLogin string // .+
|
|
PermitTTY sshBool // .
|
|
PermitTunnel string // .
|
|
PermitUserRC sshBool // *
|
|
PubkeyAcceptedKeyTypes []string // *
|
|
PubkeyAuthentication sshBool // .+
|
|
RekeyLimit []string // .
|
|
RevokedKeys string // *
|
|
RDomain string // *
|
|
SetEnv sshEnv // *
|
|
// max is 4095, it goes in the config as an octal.
|
|
StreamLocalBindMask uint16 // *
|
|
StreamLocalBindUnlink sshBool // *
|
|
TrustedUserCAKeys string // *
|
|
X11DisplayOffset int // .
|
|
X11Forwarding sshBool // .
|
|
}
|
|
|
|
// SshdConf represents an /etc/ssh/sshd_config file's directives/values.
|
|
// Values in SshdMatchRule are not reproduced here.
|
|
type SshdConf struct {
|
|
SshdMatchRule
|
|
AddressFamily string // .
|
|
CASignatureAlgorithms []string // *
|
|
ChallengeResponseAuthentication sshBool // .+
|
|
Ciphers []string // +*
|
|
Compression string // .
|
|
DisableForwarding sshBool // *
|
|
ExposeAuthInfo sshBool // *
|
|
FingerprintHash string // *
|
|
GSSAPICleanupCredentials sshBool // .
|
|
GSSAPIStrictAcceptorCheck sshBool // *
|
|
HostCertificate string // *
|
|
HostKeyAgent string // *
|
|
HostKeyAlgorithms []string // +*
|
|
HostKey []string // .+
|
|
IgnoreUserKnownHosts sshBool // .
|
|
KerberosGetAFSToken sshBool // .
|
|
KerberosOrLocalPasswd sshBool // .
|
|
KerberosTicketCleanup sshBool // .
|
|
KexAlgorithms string // +*
|
|
ListenAddress ListenAddr // .
|
|
LoginGraceTime string // .
|
|
MACs []string // +*
|
|
Match map[string]string // .
|
|
MaxStartups string // .
|
|
PermitUserEnvironment sshBool // .
|
|
PidFile string // .
|
|
Port []uint16 // .
|
|
PrintLastLog sshBool // .+
|
|
PrintMotd sshBool // .
|
|
Protocol int // +*
|
|
PubkeyAuthOptions string // *
|
|
SecurityKeyProvider string // *
|
|
StrictModes sshBool // .+
|
|
Subsystem string // .
|
|
SyslogFacility string // .
|
|
TCPKeepAlive sshBool // .
|
|
UseDNS sshBool // .
|
|
UsePAM sshBool // .
|
|
VersionAddendum string // .
|
|
X11UseLocalhost sshBool // .
|
|
XAuthLocation string // *
|
|
}
|
|
|
|
// ListenAddr is a parsed ListenAddress directive.
|
|
type ListenAddr struct {
|
|
Addr string // hostname|address, hostname:port, IPv4_address:port, or [hostname|address]:port in conf string.
|
|
Port uint16
|
|
RDomain string
|
|
}
|
|
|
|
// MatchSshd is an sshd_config Match block.
|
|
type MatchSshd struct {
|
|
Criteria map[string]string
|
|
Rules []SshdMatchRule
|
|
}
|
|
|
|
// SshMatchRule is more or less a subset of SshConf. These are valid keywords for Match blocks in sshd_config.
|
|
type SshMatchRule struct {
|
|
}
|
|
|
|
// SshConf represents an /etc/ssh/ssh_config (or ~/.ssh/config) file
|
|
type SshConf struct {
|
|
AddKeysToAgent string // *
|
|
AddressFamily string // .
|
|
BatchMode sshBool // .
|
|
BindAddress string // *
|
|
BindInterface string // *
|
|
CanonicalDomains []string // *
|
|
CanonicalizeFallbackLocal sshBool // *
|
|
CanonicalizeHostname sshBool // *
|
|
CanonicalizeMaxDots uint8 // *
|
|
CanonicalizePermittedCNAMEs [][2]string // *
|
|
CASignatureAlgorithms []string // *
|
|
CertificateFile string // *
|
|
ChallengeResponseAuthentication sshBool // *
|
|
CheckHostIP sshBool // .+
|
|
Ciphers []string // .+
|
|
ClearAllForwardings sshBool // *
|
|
Compression sshBool // *
|
|
ConnectionAttempts uint16 // *
|
|
ConnectTimeout uint16 // .
|
|
ControlMaster string // *
|
|
ControlPath string // *
|
|
ControlPersist string // *
|
|
EnableSSHKeysign sshBool // *
|
|
EscapeChar string // .
|
|
ExitOnForwardFailure sshBool // *
|
|
FingerprintHash string // *
|
|
ForwardAgent string // .
|
|
ForwardXll sshBool // .
|
|
ForwardX11Timeout string // .
|
|
ForwardX11Trusted sshBool // *
|
|
GatewayPorts sshBool // *
|
|
GlobalKnownHostsFile []string // *
|
|
GSSAPIAuthentication sshBool // .
|
|
GSSAPIDelegateCredentials sshBool // .
|
|
HashKnownHosts sshBool // *+
|
|
Host []HostSsh // .
|
|
HostbasedAuthentication sshBool // .
|
|
HostbasedKeyTypes []string // *+
|
|
HostKeyAlgorithms []string // *+
|
|
HostKeyAlias string // *
|
|
Hostname string // *
|
|
IdentitiesOnly sshBool // *
|
|
IdentityAgent string // *
|
|
IdentityFile []string // .
|
|
IgnoreUnknown []string // *
|
|
Include string // *
|
|
IPQoS string // *
|
|
KbdInteractiveAuthentication sshBool // *
|
|
KbdInteractiveDevices []string // *
|
|
KexAlgorithms []string // *
|
|
LocalCommand string // *
|
|
LocalForward [2]string // *
|
|
}
|
|
|
|
// MatchSsh is an ssh_config Match block.
|
|
type MatchSsh struct {
|
|
Criteria map[string]string
|
|
Rules []SshMatchRule
|
|
}
|
|
|
|
type HostSsh struct {
|
|
Hostname string
|
|
Rules []SshMatchRule
|
|
}
|