1

Using puppet's augeas capability I want to modify the config file:

/etc/ssh/sshd_config

Without puppet I've experimented using Augeas's "augtool" and found a couple of lines which seem to work: 

augtool> set /files/etc/ssh/sshd_config/Match[1]/Condition/User "bill","ben"   
augtool> set /files/etc/ssh/sshd_config/Match/Settings/PasswordAuthentication "no" 
augtool> save

Although it seems to work OK, I don't really understand what purpose the [1] serves here.

I've tried without success to put those lines into Puppet:

augeas { "sshd_config":
  context => "/files/etc/ssh/sshd_config",
  changes => [
  'set Match[1]/Condition/User "bill","ben"',
  'set Settings/PasswordAuthentication "no"',
  ],     
}

It gives the error: Error: /Stage[main]/Samipermissions/Augeas[sshd_config]: Could not evaluate: Saving failed, see debug

Running Puppet in debug mode tells me the same thing.

Does anybody know how this is meant to work ?

THANK YOU m0dlx. Your answer has moved me past the error I was getting however I think I'm still a bit lost with the array of Matches. Using "augtool" I can do the following:

set /files/etc/ssh/sshd_config/Match[1]/Condition/User "neil","nigel"
set /files/etc/ssh/sshd_config/Match[1]/Settings/PasswordAuthentication "no" 
set /files/etc/ssh/sshd_config/Match[2]/Condition/User "yvonne","yvette"
set /files/etc/ssh/sshd_config/Match[2]/Settings/PasswordAuthentication "yes"

in the config file this appears as:

Match User neil,nigel
  PasswordAuthentication no
Match User yvonne,yvette
  PasswordAuthentication yes

Which is perfect. I translated this to Puppet as:

  augeas { "sshd_config":
    context => "/files/etc/ssh/sshd_config",
    changes => [
      'set Match[1]/Condition/User "neil","nigel"',
      'set Match[1]/Settings/PasswordAuthentication "no"',
      'set Match[2]/Condition/User "yvonne","yvette"',
      'set Match[2]/Settings/PasswordAuthentication "yes"',
    ],
  }

But the result in the config file is quite different:

Match User neil
  PasswordAuthentication no
Match User yvonne
  PasswordAuthentication yes
user835745
  • 1,974
  • 3
  • 17
  • 18

2 Answers2

2

Although it seems to work OK, I don't really understand what purpose the [1] serves here.

The [1] is like accessing an array element, it indicates you want to access the first Match entry if there are multiple.

'set Settings/PasswordAuthentication "no"',

You've missed off the leading Match/ that you had in the augtool test, this might cause the save failure from Puppet.

If you still have a problem, please include the full debug output from Puppet in the question.

Dominic Cleal
  • 3,205
  • 19
  • 22
  • Also, [augeasproviders_ssh](https://forge.puppet.com/herculesteam/augeasproviders_ssh) has an `sshd_config` provider that manages conditions pretty well: https://forge.puppet.com/herculesteam/augeasproviders_ssh#manage-entry-in-a-match-block – raphink Jul 25 '16 at 15:46
  • Thank you Raphink but I'm trying to get to grips with Augeas rather than use an imported module – user835745 Jul 25 '16 at 17:29
  • Thank you m0dlx that was a great help, sadly it doesn't get me quite where I need to be. I've added to the question taking your help into account – user835745 Jul 25 '16 at 17:46
  • 2
    Try removing the middle set of quotes from the names, e.g. `'set Match[1]/Condition/User "neil,nigel"',` – Dominic Cleal Jul 26 '16 at 07:04
  • m0dlx you are a star. Thank you very much . Between your answer and your comment you have helped me immensely, thank you. – user835745 Jul 26 '16 at 12:49
0

The answer and later comment from m0dlx led me to the following which works perfectly:

  augeas { "sshd_config":
    context => "/files/etc/ssh/sshd_config",
    changes => [
      'set Match[1]/Condition/User "neil,nigel"',
      'set Match[1]/Settings/PasswordAuthentication "no"',
      'set Match[2]/Condition/User "yvonne,yvette"',
      'set Match[2]/Settings/PasswordAuthentication "yes"',
    ],
  }

Thank you m0dlx.

user835745
  • 1,974
  • 3
  • 17
  • 18