Merge pull request #18 from rfairburn/master

Support the 'match' syntax in sshd_config
This commit is contained in:
Forrest 2014-09-19 10:22:28 -07:00
commit d27e4c94bf
2 changed files with 44 additions and 25 deletions

View File

@ -2,6 +2,23 @@
{#- present in sshd_config and known in actual file options -#} {#- present in sshd_config and known in actual file options -#}
{%- set processed_options = [] -%} {%- set processed_options = [] -%}
{#- generic renderer used for sshd matches, known options, -#}
{#- and unknown options -#}
{%- macro render_option(keyword, default, config_dict=sshd_config) -%}
{%- set value = config_dict.get(keyword, default) -%}
{%- if value is sameas true -%}
{{ keyword }} yes
{%- elif value is sameas false -%}
{{ keyword }} no
{%- elif value is string or value is number -%}
{{ keyword }} {{ value }}
{%- else -%}
{%- for single_value in value -%}
{{ keyword }} {{ single_value }}
{% endfor -%}
{%- endif -%}
{%- endmacro -%}
{#- macros for render option according to present -#} {#- macros for render option according to present -#}
{%- macro option_impl(keyword, default, present) -%} {%- macro option_impl(keyword, default, present) -%}
{%- if present -%} {%- if present -%}
@ -10,18 +27,9 @@
{%- else -%} {%- else -%}
{%- set prefix='#' -%} {%- set prefix='#' -%}
{%- endif -%} {%- endif -%}
{%- set value = sshd_config.get(keyword, default) -%} {#- add prefix to keyword -#}
{%- if value is sameas true -%} {%- set keyword = prefix ~ keyword -%}
{{ prefix }}{{ keyword }} yes {{ render_option(keyword, default) }}
{%- elif value is sameas false -%}
{{ prefix }}{{ keyword }} no
{%- elif value is string or value is number -%}
{{ prefix }}{{ keyword }} {{ value }}
{%- else -%}
{%- for single_value in value -%}
{{ prefix }}{{ keyword }} {{ single_value }}
{% endfor -%}
{%- endif -%}
{%- endmacro -%} {%- endmacro -%}
{#- macros for render option commented by default -#} {#- macros for render option commented by default -#}
@ -129,18 +137,20 @@
{{ option('UseDNS', 'yes') }} {{ option('UseDNS', 'yes') }}
{# Handling unknown in salt template options #} {# Handling unknown in salt template options #}
{%- for keyword, argument in sshd_config.iteritems() %} {%- for keyword in sshd_config.keys() %}
{%- if not keyword in processed_options -%} {#- Matches have to be at the bottem and should be handled differently -#}
{%- if argument is sameas true %} {%- if not keyword in processed_options and keyword != 'matches' -%}
{{ keyword }} yes {#- send a blank default as it doesn't matter -#}
{%- elif argument is sameas false %} {{ render_option(keyword, '') }}
{{ keyword }} no
{%- elif argument is string or argument is number %}
{{ keyword }} {{ argument }}
{%- else %}
{%- for item in argument %}
{{ keyword }} {{ item }}
{%- endfor %}
{%- endif %}
{%- endif -%} {%- endif -%}
{%- endfor %} {%- endfor %}
{# Handle matches last as they need to go at the bottom #}
{%- if 'matches' in sshd_config %}
{%- for match in sshd_config['matches'].values() %}
Match {{ match['type'].keys()[0] }} {{ match['type'].values()[0] }}
{%- for keyword in match['options'].keys() %}
{{ render_option(keyword, '', config_dict=match['options']) }}
{%- endfor %}
{%- endfor %}
{%- endif %}

View File

@ -30,6 +30,15 @@ sshd_config:
Subsystem: "sftp /usr/lib/openssh/sftp-server" Subsystem: "sftp /usr/lib/openssh/sftp-server"
UsePAM: 'yes' UsePAM: 'yes'
UseDNS: 'yes' UseDNS: 'yes'
matches:
sftp_chroot:
type:
Group: sftpusers
options:
ChrootDirectory: /sftp-chroot/%u
X11Forwarding: no
AllowTcpForwarding: no
ForceCommand: internal-sftp
openssh: openssh:
auth: auth: