Augeas - Partial control of sshd-config - Match entries

Question

In the config file /etc/ssh/sshd_config I want to determine PasswordAuthentication entries for a few specific users (or Groups) like:

Match Group xyz_admin, xyz_support
  PasswordAuthentication no
Match User yvonne,yvette
  PasswordAuthentication yes

I don't want to interfere with or have any control over similar but unrelated entries which may or may not be present like:

Match User xavier
    X11Forwarding yes
Match Group alice
    AllowTcpForwarding yes

The following Augeas expressions create the entries I need but could corrupt existing configuration entries.

set /files/etc/ssh/sshd_config/Match[1]/Condition/Group "xyz_admin,xyz_support"
set /files/etc/ssh/sshd_config/Match[1]/Settings/PasswordAuthentication "no"
set /files/etc/ssh/sshd_config/Match[2]/Condition/User "yvonne,yvette"
set /files/etc/ssh/sshd_config/Match[2]/Settings/PasswordAuthentication "yes"

Any idea how I can make these expressions more specific so they avoid messing with any existing and unrelated "Match" entries ?

score 0 · Answer 1 · answered Jul 28 '16 at 21:12

You can use the Condition/* subnodes to filter out the Match nodes.

For an example, you can see how it is done in the puppet sshd_config provider (in Ruby). Note that all keys in sshd_config are case-insensitve, so you need to use regular expressions to be sure to match them regardless of their case.

Augeas - Partial control of sshd-config - Match entries

1 Answers1