Parsers for SSH configuration
SshDConfig - file /etc/ssh/sshd_config
SshDConfigD - file /etc/ssh/sshd_config.d/*.conf
SshdTestMode - command sshd -T
- class insights.parsers.ssh.SshDConfig(context)[source]
Bases:
Parser
Parsing for
/etc/ssh/sshd_config
file.The
ssh
module provides parsing for thesshd_config
file. TheSshDConfig
class implements the parsing and provides alist
of all configuration lines present in the file.Sample input is provided in the Examples.
Examples
>>> 'Port' in sshd_config True >>> 'PORT' in sshd_config True >>> 'AddressFamily' in sshd_config False >>> sshd_config['port'] ['22', '22'] >>> sshd_config['Protocol'] ['1'] >>> [line for line in sshd_config if line.keyword == 'Port'] [KeyValue(keyword='Port', value='22', kw_lower='port', line='Port 22'), KeyValue(keyword='Port', value='22', kw_lower='port', line='Port 22')] >>> sshd_config.last('ListenAddress') '10.110.1.1' >>> sshd_config.get_line('ListenAddress') 'ListenAddress 10.110.1.1' >>> sshd_config.get_values('ListenAddress') ['10.110.0.1', '10.110.1.1'] >>> sshd_config.get_values('ListenAddress', default='0.0.0.0') ['10.110.0.1', '10.110.1.1'] >>> sshd_config.get_values('ListenAddress', join_with=',') '10.110.0.1,10.110.1.1'
- Properties:
- lines (list): List of KeyValue namedtupules for each line in
the configuration file.
- keywords (set): Set of keywords present in the configuration
file, each keyword has been converted to lowercase.
- class KeyValue(keyword, value, kw_lower, line)
Bases:
tuple
namedtuple: Represent name value pair as a namedtuple with case .
- keyword
- kw_lower
- line
- value
- get(keyword)[source]
Get all declarations of this keyword in the configuration file.
- Returns:
- a list of named tuples with the following properties:
keyword
- the keyword as given on that linevalue
- the value of the keywordkw_lower
- the keyword converted to lower caseline
- the complete line as found in the config file
- Return type:
(list)
- get_line(keyword, default='')[source]
(str): Get the line with the last declarations of this keyword in the configuration file, optionally pretending that we had a line with the default value and a comment informing the user that this was a created default line.
This is a hack, but it’s commonly used in the sshd configuration because of the many lines that are commonly omitted because they have their default value.
- Parameters:
keyword (str) -- Keyword to find
default -- optional value to supply if not found
- get_values(keyword, default='', join_with=None, split_on=None)[source]
Get all the values assigned to this keyword.
Firstly, if the keyword is not found in the configuration file, the value of the
default
option is used (defaulting to''
).Then, if the
join_with
option is given, this string is used to join the values found on each separate definition line. Otherwise, each separate definition line is returned as a string.Finally, if the
split_on
option is given, this string is used to split the combined string above into a list. Otherwise, the combined string is returned as is.
- last(keyword, default=None)[source]
str: Returns the value of the last keyword found in config.
- Parameters:
keyword (str) -- Keyword to find
default -- optional value to supply if not found
- line_uses_plus(keyword)[source]
(union[bool, None]): Get the line with the last declarations of this keyword in the configuration file and returns whether the “+” option syntax is used.
A “+” before the list of values denotes that the values are appended to the openssh defaults for the particular keyword.
Returns True if the “+” is used, False if a line with the keyword was found but it doesn’t use the “+” or None if such a line doesn’t exist.
Reasoning for the implementation:
The “+” means “added to the defaults”.
The defaults depend on the particular openssh-server version and the parser doesn’t know the version.
Therefore, it is infeasible to add the evaluation logic for “+” into get_values().
Adding the logic into a combiner would mean a requirement that the combiner has a complete database of all defaults in all openssh-server version - infeasible again.
Not every keyword allows the use of “+” - it wouldn’t make sense to parse “+” into KeyValue as it would make meaningless parsing for some options and meaningful for others. Building a database which options in which openssh-server versions support it or not would be infeasible.
The way chosen as the most sensible is this - line_uses_plus() used selectively by a rule for those options that support it, and it is up to the developer of such a rule to check it for those options manually.
- Parameters:
keyword (str) -- Keyword to find
- class insights.parsers.ssh.SshDConfigD(context)[source]
Bases:
SshDConfig
Parsing for
/etc/ssh/sshd_config.d/*.conf
file.Typical content looks like:
Include /etc/crypto-policies/back-ends/opensshserver.config SyslogFacility AUTHPRIV ChallengeResponseAuthentication no
Examples
>>> sshd_config_d['Include'] ['/etc/crypto-policies/back-ends/opensshserver.config']
- Properties:
- lines (list): List of KeyValue namedtupules for each line in
the configuration file.
- keywords (set): Set of keywords present in the configuration
file, each keyword has been converted to lowercase.
- class insights.parsers.ssh.SshdTestMode(context)[source]
Bases:
Parser
,dict
This parser reads the output of “/usr/sbin/sshd -T” command.
Sample output:
port 22 addressfamily any listenaddress [::]:22 listenaddress 0.0.0.0:22 usepam yes logingracetime 120 x11displayoffset 10 x11maxdisplays 1000 maxauthtries 6 ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr macs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
Examples
>>> len(sshd_test_mode) 10 >>> sshd_test_mode.get("listenaddress") ['[::]:22', '0.0.0.0:22'] >>> sshd_test_mode.get("ciphers") ['aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr']