diff options
-rw-r--r-- | doc/server/plugins/generators/cfg.txt | 3 | ||||
-rw-r--r-- | schemas/authorizedkeys.xsd | 70 | ||||
-rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Cfg/CfgAuthorizedKeysGenerator.py | 17 |
3 files changed, 82 insertions, 8 deletions
diff --git a/doc/server/plugins/generators/cfg.txt b/doc/server/plugins/generators/cfg.txt index e3768a3ba..0f0601105 100644 --- a/doc/server/plugins/generators/cfg.txt +++ b/doc/server/plugins/generators/cfg.txt @@ -541,7 +541,8 @@ Example </Group> <Allow from="/root/.ssh/id_rsa.pub" host="foo.example.com"/> <Allow from="/home/foo_user/.ssh/id_rsa.pub"> - <Params command="/home/foo_user/.ssh/ssh_command_filter"/> + <Option name="command" value="/home/foo_user/.ssh/ssh_command_filter"/> + <Option name="no-X11-forwarding"/> </Allow> <Allow> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDw/rgKQeARRAHK5bQQhAAe1b+gzdtqBXWrZIQ6cIaLgxqj76TwZ3DY4A6aW9RgC4zzd0p4a9MfsScUIB4+UeZsx9GopUj4U6H8Vz7S3pXxrr4E9logVLuSfOLFbI/wMWNRuOANqquLYQ+JYWKeP4kagkVp0aAWp7mH5IOI0rp0A6qE2you4ep9N/nKvHDrtypwhYBWprsgTUXXMHnAWGmyuHGYWxNYBV9AARPdAvZfb8ggtuwibcOULlyK4DdVNbDTAN1/BDBE1ve6WZDcrc386KhqUGj/yoRyPjNZ46uZiOjRr3cdY6yUZoCwzzxvm5vle6mEbLjHgjGEMQMArzM9 vendor@example.com diff --git a/schemas/authorizedkeys.xsd b/schemas/authorizedkeys.xsd index 848f99bae..dbf32cc25 100644 --- a/schemas/authorizedkeys.xsd +++ b/schemas/authorizedkeys.xsd @@ -42,6 +42,43 @@ </xsd:attribute> </xsd:complexType> + <xsd:complexType name="OptionContainerType"> + <xsd:annotation> + <xsd:documentation> + An **OptionContainerType** is a tag used to provide logic. + Child entries of an OptionContainerType tag only apply to + machines that match the condition specified -- either + membership in a group, or a matching client name. + :xml:attribute:`OptionContainerType:negate` can be set to + negate the sense of the match. + </xsd:documentation> + </xsd:annotation> + <xsd:choice minOccurs="0" maxOccurs="unbounded"> + <xsd:element name="Group" type="OptionContainerType"/> + <xsd:element name="Client" type="OptionContainerType"/> + <xsd:element name="Option" type="AuthorizedKeysOptionType"/> + <xsd:element name="Params" type="AuthorizedKeysParamsType"/> + </xsd:choice> + <xsd:attribute name='name' type='xsd:string'> + <xsd:annotation> + <xsd:documentation> + The name of the client or group to match on. Child entries + will only apply to this client or group (unless + :xml:attribute:`OptionContainerType:negate` is set). + </xsd:documentation> + </xsd:annotation> + </xsd:attribute> + <xsd:attribute name='negate' type='xsd:boolean'> + <xsd:annotation> + <xsd:documentation> + Negate the sense of the match, so that child entries only + apply to a client if it is not a member of the given group + or does not have the given name. + </xsd:documentation> + </xsd:annotation> + </xsd:attribute> + </xsd:complexType> + <xsd:complexType name="AllowType" mixed="true"> <xsd:annotation> <xsd:documentation> @@ -50,6 +87,9 @@ </xsd:documentation> </xsd:annotation> <xsd:choice minOccurs="0" maxOccurs="unbounded"> + <xsd:element name="Group" type="OptionContainerType"/> + <xsd:element name="Client" type="OptionContainerType"/> + <xsd:element name="Option" type="AuthorizedKeysOptionType"/> <xsd:element name="Params" type="AuthorizedKeysParamsType"/> </xsd:choice> <xsd:attribute name="from" type="xsd:string"> @@ -77,12 +117,36 @@ </xsd:attribute> </xsd:complexType> + <xsd:complexType name="AuthorizedKeysOptionType"> + <xsd:annotation> + <xsd:documentation> + Specify options for public key authentication and connection. + See :manpage:`sshd(8)` for details on allowable options. + </xsd:documentation> + </xsd:annotation> + <xsd:attribute name="name" type="xsd:string" use="required"> + <xsd:annotation> + <xsd:documentation> + The name of the sshd option. + </xsd:documentation> + </xsd:annotation> + </xsd:attribute> + <xsd:attribute name="value" type="xsd:string"> + <xsd:annotation> + <xsd:documentation> + The value of the sshd option. This can be omitted for + options that take no value. + </xsd:documentation> + </xsd:annotation> + </xsd:attribute> + </xsd:complexType> + <xsd:complexType name="AuthorizedKeysParamsType"> <xsd:annotation> <xsd:documentation> - Specify parameters for public key authentication and - connection. See :manpage:`sshd(8)` for details on allowable - parameters. + **Deprecated** way to specify options for public key + authentication and connection. See :manpage:`sshd(8)` for + details on allowable parameters. </xsd:documentation> </xsd:annotation> <xsd:anyAttribute processContents="lax"/> diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgAuthorizedKeysGenerator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgAuthorizedKeysGenerator.py index 824d01023..f304891d5 100644 --- a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgAuthorizedKeysGenerator.py +++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgAuthorizedKeysGenerator.py @@ -50,10 +50,19 @@ class CfgAuthorizedKeysGenerator(CfgGenerator, StructFile): spec = self.XMLMatch(metadata) rv = [] for allow in spec.findall("Allow"): - params = '' + options = [] if allow.find("Params") is not None: - params = ",".join("=".join(p) - for p in allow.find("Params").attrib.items()) + self.logger.warning("Use of <Params> in authorized_keys.xml " + "is deprecated; use <Option> instead") + options.extend("=".join(p) + for p in allow.find("Params").attrib.items()) + + for opt in allow.findall("Option"): + if opt.get("value"): + options.append("%s=%s" % (opt.get("name"), + opt.get("value"))) + else: + options.append(opt.get("name")) pubkey_name = allow.get("from") if pubkey_name: @@ -96,6 +105,6 @@ class CfgAuthorizedKeysGenerator(CfgGenerator, StructFile): (metadata.hostname, lxml.etree.tostring(allow))) continue - rv.append(" ".join([params, pubkey]).strip()) + rv.append(" ".join([",".join(options), pubkey]).strip()) return "\n".join(rv) get_data.__doc__ = CfgGenerator.get_data.__doc__ |