-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce support for the distributed SSHd configuration #6926
Introduce support for the distributed SSHd configuration #6926
Conversation
Changes identified: Show detailsRule sshd_use_directory_configuration: Recommended tests to execute: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
awesomeness!! Wish we had this in RHCOS already
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sometimes I really dislike the Match
syntax of SSH config files but at least it is consistent... :-)
I like the intent of this though!
linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml
Outdated
Show resolved
Hide resolved
Huh, there seem to be some regressions. This is from the
|
The same failure appears in the |
There are some mysterious failures - the rule should work exactly the same on other products than Fedora and RHEL9, and it also fails to build (presumably on Python2 systems) with a really weird error message. |
517c06c
to
2fbaeff
Compare
8efe401
to
ff74aaa
Compare
ff74aaa
to
facb544
Compare
facb544
to
f3c48b0
Compare
@matejak Was there any conclusion on the mysterious failures? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@matejak Sorry, my mistake I made a comment but did not finish the review.
linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
Outdated
Show resolved
Hide resolved
Configuration of sshd moves from one config file to a config directory. Therefore, checks should consider all those files, and the remediation should aim to deliver fixes to one of those files in the config directory. Tests that interact with this behavior have been added and are applicable for Fedora and RHEL9 products.
It now escapes the text contents if parts of them could be incorrectly interpreted as regexes.
The rule makes sure that the sshd configuration is distributed in the /etc/ssh/sshd_config.d/ directory, and therefore it makes sense to scan that directory in another rules.
Support in older jinja2 packages is not in a good shape.
Yes, they were related to Jinja constructs that were not supported everywhere, and they were fixed. |
ad3845b
to
6c97b0f
Compare
linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
Outdated
Show resolved
Hide resolved
Don't remediate when the config file already contains the include directive.
6c97b0f
to
a3ec49f
Compare
I believe Alex's concerns were addressed
As we can see in recent Fedora versions, the sshd configuration is not contained in the config file, but the config file just includes whatever is in the
/etc/ssh/sshd_config.d/
directory.This PR adds this mechanics for Fedora and the RHEL9 products, and it introduces a rule that makes sure that such directive exists in the main
/etc/ssh/sshd_config
file.