Update sshd lens to split additional list keys (#721)

Several configuration values used for setting crypto policy were being incorrectly parsed as raw strings when they are in fact lists. Treat them as such Specifically: - GSSAPIKexAlgorithms - PubkeyAcceptedKeyTypes - CASignatureAlgorithms * Add support for sshd_config.d per @georgehansper request Co-authored-by: Edward Garbade <[email protected]>
hercules-team · Nov 19, 2022 · 4fbf5bd · 4fbf5bd
1 parent e9c7ce3
commit 4fbf5bd
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 5 deletions.
diff --git a/lenses/sshd.aug b/lenses/sshd.aug
@@ -73,7 +73,7 @@ module Sshd =
    let indent = del /[ \t]*/ "  "
 
    let key_re = /[A-Za-z0-9]+/
-         - /MACs|Match|AcceptEnv|Subsystem|Ciphers|(Kex|HostKey)Algorithms|(Allow|Deny)(Groups|Users)/i
+         - /MACs|Match|AcceptEnv|Subsystem|Ciphers|((GSSAPI|)Kex|HostKey|CASignature)Algorithms|PubkeyAcceptedKeyTypes|(Allow|Deny)(Groups|Users)/i
 
    let comment = Util.comment
    let comment_noindent = Util.comment_noindent
@@ -119,10 +119,17 @@ module Sshd =
 
    let hostkeyalgorithms = list /HostKeyAlgorithms/i "HostKeyAlgorithms"
 
+   let gssapikexalgorithms = list /GSSAPIKexAlgorithms/i "GSSAPIKexAlgorithms"
+
+   let casignaturealgorithms = list /CASignatureAlgorithms/i "CASignatureAlgorithms"
+
+   let pubkeyacceptedkeytypes = list /PubkeyAcceptedKeyTypes/i "PubkeyAcceptedKeyTypes"
+
    let entry = accept_env | allow_groups | allow_users
              | deny_groups | subsystem | deny_users
              | macs | ciphers | kexalgorithms | hostkeyalgorithms
-             | other_entry
+             | gssapikexalgorithms | casignaturealgorithms
+             | pubkeyacceptedkeytypes | other_entry
 
    let condition_entry =
     let k = /[A-Za-z0-9]+/ in
@@ -144,7 +151,10 @@ module Sshd =
 
   let lns = (entry | comment | empty)* . match*
 
-  let xfm = transform lns (incl "/etc/ssh/sshd_config")
+  let filter = (incl "/etc/ssh/sshd_config" )
+               . ( incl "/etc/ssh/sshd_config.d/*.conf" )
+
+  let xfm = transform lns filter
 
 (* Local Variables: *)
 (* mode: caml       *)

diff --git a/lenses/tests/test_sshd.aug b/lenses/tests/test_sshd.aug
@@ -100,10 +100,14 @@ Match Group \"Domain users\"
 
 
 (* Test: Sshd.lns
-     Parse Ciphers, KexAlgorithms, HostKeyAlgorithms as lists (GH issue #69) *)
+     Parse Ciphers, KexAlgorithms, HostKeyAlgorithms as lists (GH issue #69)
+     Parse GSSAPIKexAlgorithms, PubkeyAcceptedKeyTypes, CASignatureAlgorithms as lists (GH PR #721) *)
 test Sshd.lns get "Ciphers [email protected],[email protected],aes256-ctr,aes128-ctr
 KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
-HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,ssh-rsa\n" =
+HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,ssh-rsa
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-
+PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384
+CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521\n" =
   { "Ciphers"
     { "1" = "[email protected]" }
     { "2" = "[email protected]" }
@@ -121,6 +125,21 @@ HostKeyAlgorithms [email protected],[email protected],
     { "3" = "ssh-ed25519" }
     { "4" = "ssh-rsa" }
   }
+  { "GSSAPIKexAlgorithms"
+    { "1" = "gss-curve25519-sha256-" }
+    { "2" = "gss-nistp256-sha256-" }
+    { "3" = "gss-group14-sha256-" }
+  }
+  { "PubkeyAcceptedKeyTypes"
+    { "1" = "ecdsa-sha2-nistp256" }
+    { "2" = "[email protected]" }
+    { "3" = "ecdsa-sha2-nistp384" }
+  }
+  { "CASignatureAlgorithms"
+    { "1" = "ecdsa-sha2-nistp256" }
+    { "2" = "ecdsa-sha2-nistp384" }
+    { "3" = "ecdsa-sha2-nistp521" }
+  }
 
 (* Test: Sshd.lns
      Keys are case-insensitive *)