From 766198912d558e4630b258bba62e78587b3f0efe Mon Sep 17 00:00:00 2001 From: Dennis Camera Date: Tue, 5 Jan 2021 15:50:21 +0100 Subject: [PATCH 1/3] [type/__sshd_config] Produce error if invalid config file is generated Previously, cdist would silently swallow the error (no invalid config file was generated). Reason: `set -e` does not exit if a command in a sub-command group fails, it merely returns with a non-zero exit status. e.g. the following snippet does not abort the script if sshd -t returns with a non-zero exit status: set -e cmp -s old new || { # check config file and update it sshd -t -f new \ && cat new >old } or compressed: set -e false || { false && true; } echo $? # prints 1 --- cdist/conf/type/__sshd_config/gencode-remote | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cdist/conf/type/__sshd_config/gencode-remote b/cdist/conf/type/__sshd_config/gencode-remote index 0b44dfa7..275db4aa 100755 --- a/cdist/conf/type/__sshd_config/gencode-remote +++ b/cdist/conf/type/__sshd_config/gencode-remote @@ -91,7 +91,8 @@ awk $(drop_awk_comments "${__type:?}/files/update_sshd_config.awk") \\ cmp -s $(quote "${sshd_config_file}") $(quote "${sshd_config_file}.tmp") || { sshd -t -f $(quote "${sshd_config_file}.tmp") \\ - && cat $(quote "${sshd_config_file}.tmp") >$(quote "${sshd_config_file}") + && cat $(quote "${sshd_config_file}.tmp") >$(quote "${sshd_config_file}") \\ + || exit # stop if sshd_config file check fails } rm -f $(quote "${sshd_config_file}.tmp") EOF From 8753b7eedf022a052ddc0b27fbc58ebf8fd638e1 Mon Sep 17 00:00:00 2001 From: Dennis Camera Date: Tue, 5 Jan 2021 15:57:39 +0100 Subject: [PATCH 2/3] [type/__sshd_config] Make AuthenticationMethods and AuthorizedKeysFile singleton options They were incorrectly treated as non-singleton options before. cf. https://github.com/openssh/openssh-portable/blob/V_8_4/servconf.c#L2273 and https://github.com/openssh/openssh-portable/blob/V_8_4/servconf.c#L1899 resp. --- cdist/conf/type/__sshd_config/files/update_sshd_config.awk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cdist/conf/type/__sshd_config/files/update_sshd_config.awk b/cdist/conf/type/__sshd_config/files/update_sshd_config.awk index d0bc2b4b..f7f30e87 100644 --- a/cdist/conf/type/__sshd_config/files/update_sshd_config.awk +++ b/cdist/conf/type/__sshd_config/files/update_sshd_config.awk @@ -89,7 +89,7 @@ function strdelim(s) { return strdelim_internal(s, 1) } function strdelimw(s) { return strdelim_internal(s, 0) } function singleton_option(opt) { - return tolower(opt) !~ /^(acceptenv|allowgroups|allowusers|authenticationmethods|authorizedkeysfile|denygroups|denyusers|hostcertificate|hostkey|listenaddress|logverbose|permitlisten|permitopen|port|setenv|subsystem)$/ + return tolower(opt) !~ /^(acceptenv|allowgroups|allowusers|denygroups|denyusers|hostcertificate|hostkey|listenaddress|logverbose|permitlisten|permitopen|port|setenv|subsystem)$/ } function print_update() { From bd8ab8f26fdc242f2eb77e58049d640f96d51a69 Mon Sep 17 00:00:00 2001 From: Dennis Camera Date: Tue, 5 Jan 2021 17:00:55 +0100 Subject: [PATCH 3/3] [type/__sshd_config] Document "bug" in state explorer --- cdist/conf/type/__sshd_config/man.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cdist/conf/type/__sshd_config/man.rst b/cdist/conf/type/__sshd_config/man.rst index 8b0069ac..c8e6b8ad 100644 --- a/cdist/conf/type/__sshd_config/man.rst +++ b/cdist/conf/type/__sshd_config/man.rst @@ -79,6 +79,10 @@ BUGS - ``Include`` directives are ignored. - Config options are not added/removed to/from the config file if their value is the default value. +- | The explorer will incorrectly report ``absent`` if OpenSSH internally + transforms one value to another (e.g. ``permitrootlogin prohibit-password`` + is transformed to ``permitrootlogin without-password``). + | Workaround: Use the value that OpenSSH uses internally. AUTHORS