Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AllowGroups does not work with condition. #29

Open
mvintila opened this issue Oct 14, 2016 · 12 comments
Open

AllowGroups does not work with condition. #29

mvintila opened this issue Oct 14, 2016 · 12 comments

Comments

@mvintila
Copy link

mvintila commented Oct 14, 2016
edited by raphink
Loading

This doesn't work:

sshd_config_match { "LocalPort 2022":
  ensure   => present,
}

sshd_config { "AllowGroups":
  ensure    => present,
  condition => 'LocalPort 2022',
  value     => ['filedrop'],
}

The error is:

Error: /Stage[main]/Main/Node[__node_regexp__a-z0-9-filedrop-d]/Sshd_config[AllowGroups]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

If i enable debug logging it looks like this:

Notice: /Stage[main]/Main/Node[__node_regexp__a-z0-9-filedrop-d]/Sshd_config[AllowGroups]/ensure: created
Debug: Puppet::Type::Sshd_config::ProviderAugeas: Save failure details:
/augeas/files/etc/ssh/sshd_config/error/path = /files/etc/ssh/sshd_config/Match/Settings
/augeas/files/etc/ssh/sshd_config/error/lens = /usr/share/augeas/lenses/dist/sshd.aug:129.12-.44:
/augeas/files/etc/ssh/sshd_config/error/message = Failed to match 
    ({ /#comment/ = /[^\001-\004\t\n\r ][^\001-\004\n]_[^\001-\004\t\n\r ]|[^\001-\004\t\n\r ]/ } | { } | { /[Aa][Cc][Cc][Ee][Pp][Tt][Ee][Nn](([Vv][0-9A-Za-z]|[0-9A-UW-Za-uw-z])[0-9A-Za-z]_|)|[Aa][Cc][Cc][Ee][Pp][
-DF-Za-df-z][0-9A-Za-z]_|)|[Aa][Cc][Cc][Ee][Pp]([0-9A-SU-Za-su-z][0-9A-Za-z]*|)|[Aa][Cc][Cc][Ee]([0-9A-OQ-Za-oq-z][0-9A-Za-z]_|)|[Aa][Cc][Cc]([0-9A-DF-Za-df-z][0-9A-Za-z]*|)|[Aa][Ll][Ll][Oo][Ww]([Gg][Rr][Oo][Uu][P
[0-9A-OQ-Za-oq-z][0-9A-Za-z]*|)|[Gg][Rr][Oo]([0-9A-TV-Za-tv-z][0-9A-Za-z]*|)|[Gg][Rr]([0-9A-NP-Za-np-z][0-9A-Za-z]*|)|[Uu][Ss][Ee][Rr](%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|)|[Uu][Ss][Ee]([0-9A-QS-Za-qs-
T-Za-rt-z][0-9A-Za-z]*|)|[Gg]([0-9A-QS-Za-qs-z][0-9A-Za-z]*|)|[0-9A-FH-TV-Za-fh-tv-z][0-9A-Za-z]_|)|[Aa][Ll][Ll][Oo]([0-9A-VX-Za-vx-z][0-9A-Za-z]_|)|[Aa][Ll][Ll]([0-9A-NP-Za-np-z][0-9A-Za-z]*|)|[Aa][Ll]([0-9A-KM-Z
Pp][Hh][Ee][Rr]%28%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|%29|[Cc][Ii][Pp][Hh][Ee]%28[0-9A-QS-Za-qs-z][0-9A-Za-z]*|%29|[Cc][Ii][Pp][Hh]%28[0-9A-DF-Za-df-z][0-9A-Za-z]*|%29|[Cc][Ii][Pp]%28[0-9A-GI-Za-gi-z][0-9A-Za-z]*|%29|
Uu][Pp]%28%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Gg][Rr][Oo][Uu]%28[0-9A-OQ-Za-oq-z][0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Gg][Rr][Oo]%28[0-9A-TV-Za-tv-z][0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Gg][Rr]%28[0-9
A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy][Uu][Ss][Ee]([0-9A-QS-Za-qs-z][0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy][Uu][Ss]([0-9A-DF-Za-df-z][0-9A-Za-z]*|)|[Dd][Ee][Nn][Yy][Uu]([0-9A-RT-Za-rt-z][0-9A-Za-z]*|)|[
0-9A-FH-TV-Za-fh-tv-z][0-9A-Za-z]_|)|[Dd][Ee][Nn]([0-9A-XZa-xz][0-9A-Za-z]*|)|[Dd][Ee]([0-9A-MO-Za-mo-z][0-9A-Za-z]_|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii][Tt][Hh][Mm](%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z
9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii][Tt]([0-9A-GI-Za-gi-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii]([0-9A-SU-Za-su-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr]([0-9A-HJ-Za-hj-z][0-9A-Za-
][Ee][Xx][Aa][Ll][Gg]%28[0-9A-NP-Za-np-z][0-9A-Za-z]*|%29|[Kk][Ee][Xx][Aa][Ll]%28[0-9A-FH-Za-fh-z][0-9A-Za-z]*|%29|[Kk][Ee][Xx][Aa]%28[0-9A-KM-Za-km-z][0-9A-Za-z]*|%29|[Kk][Ee][Xx]%28[0-9B-Zb-z][0-9A-Za-z]*|%29|[Kk][Ee]%28[0-9A-WYZ
z]%29[0-9A-Za-z]*|)|[Mm][Aa][Tt]([0-9ABD-Zabd-z][0-9A-Za-z]*|)|[Mm][Aa][Cc](%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|)|[Mm][Aa]([0-9ABD-SU-Zabd-su-z][0-9A-Za-z]*|)|[Ss][Uu][Bb][Ss][Yy][Ss][Tt][Ee](%28[Mm][0-9A-
-9A-DF-Za-df-z][0-9A-Za-z]*|%29|[Ss][Uu][Bb][Ss][Yy][Ss]%28[0-9A-SU-Za-su-z][0-9A-Za-z]*|%29|[Ss][Uu][Bb][Ss][Yy]%28[0-9A-RT-Za-rt-z][0-9A-Za-z]*|%29|[Ss][Uu][Bb][Ss]%28[0-9A-XZa-xz][0-9A-Za-z]*|%29|[Ss][Uu][Bb]%28[0-9A-RT-Za-rt-
-tv-z]|[Mm][0-9B-Zb-z]|[Kk][0-9A-DF-Za-df-z]|[Dd][0-9A-DF-Za-df-z]|[Cc][0-9A-HJ-Za-hj-z]|[Aa][0-9ABD-KM-Zabd-km-z]|[0-9BE-JLN-RT-Zbe-jln-rt-z][0-9A-Za-z]%29[0-9A-Za-z]*|[Ss]|[Mm]|[Kk]|[Dd]|[Cc]|[Aa]|[0-9BE-JLN-RT-Zb
comment/ = /[^001-004tnr ][^001-004n]*[^001-004tnr ]|[^001-004tnr ]/ } | { } | { /[Aa][Cc][Cc][Ee][Pp][Tt][Ee][Nn]%28%28[Vv][0-9A-Za-z]|[0-9A-UW-Za-uw-z]%29[0-9A-Za-z]*|%29|[Aa][Cc][Cc][Ee][Pp][Tt][Ee]%28[
-z][0-9A-Za-z]*|%29|[Aa][Cc][Cc][Ee][Pp]%28[0-9A-SU-Za-su-z][0-9A-Za-z]*|%29|[Aa][Cc][Cc][Ee]%28[0-9A-OQ-Za-oq-z][0-9A-Za-z]*|%29|[Aa][Cc][Cc]%28[0-9A-DF-Za-df-z][0-9A-Za-z]*|%29|[Aa][Ll][Ll][Oo][Ww]%28[Gg][Rr][Oo][Uu][Pp]%28%28[Ss][
Za-oq-z][0-9A-Za-z]*|%29|[Gg][Rr][Oo]%28[0-9A-TV-Za-tv-z][0-9A-Za-z]*|%29|[Gg][Rr]%28[0-9A-NP-Za-np-z][0-9A-Za-z]*|%29|[Uu][Ss][Ee][Rr]%28%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|%29|[Uu][Ss][Ee]%28[0-9A-QS-Za-qs-z][0-9A-Z
][0-9A-Za-z]*|%29|[Gg]%28[0-9A-QS-Za-qs-z][0-9A-Za-z]*|%29|[0-9A-FH-TV-Za-fh-tv-z][0-9A-Za-z]*|%29|[Aa][Ll][Ll][Oo]%28[0-9A-VX-Za-vx-z][0-9A-Za-z]*|%29|[Aa][Ll][Ll]%28[0-9A-NP-Za-np-z][0-9A-Za-z]*|%29|[Aa][Ll]%28[0-9A-KM-Za-km-z][0
e][Rr]%28%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|%29|[Cc][Ii][Pp][Hh][Ee]%28[0-9A-QS-Za-qs-z][0-9A-Za-z]*|%29|[Cc][Ii][Pp][Hh]%28[0-9A-DF-Za-df-z][0-9A-Za-z]*|%29|[Cc][Ii][Pp]%28[0-9A-GI-Za-gi-z][0-9A-Za-z]*|%29|[Cc][Ii]%28
[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Gg][Rr][Oo][Uu]%28[0-9A-OQ-Za-oq-z][0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Gg][Rr][Oo]%28[0-9A-TV-Za-tv-z][0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Gg][Rr]%28[0-9A-NP-Za-n
0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Uu][Ss][Ee]%28[0-9A-QS-Za-qs-z][0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Uu][Ss]%28[0-9A-DF-Za-df-z][0-9A-Za-z]*|%29|[Dd][Ee][Nn][Yy][Uu]%28[0-9A-RT-Za-rt-z][0-9A-Za-z]*|%29|[Dd][Ee][N
V-Za-fh-tv-z][0-9A-Za-z]*|)|[Dd][Ee][Nn]([0-9A-XZa-xz][0-9A-Za-z]*|)|[Dd][Ee]([0-9A-MO-Za-mo-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii][Tt][Hh][Mm](%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|)|[Kk]
|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii][Tt]([0-9A-GI-Za-gi-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr][Ii]([0-9A-SU-Za-su-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll][Gg][Oo][Rr]([0-9A-HJ-Za-hj-z][0-9A-Za-z]*|)|[Kk
[Aa][Ll][Gg]([0-9A-NP-Za-np-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa][Ll]([0-9A-FH-Za-fh-z][0-9A-Za-z]*|)|[Kk][Ee][Xx][Aa]([0-9A-KM-Za-km-z][0-9A-Za-z]*|)|[Kk][Ee][Xx]([0-9B-Zb-z][0-9A-Za-z]*|)|[Kk][Ee]([0-9A-WYZa-wyz][0-
Za-z]*|)|[Mm][Aa][Tt]([0-9ABD-Zabd-z][0-9A-Za-z]*|)|[Mm][Aa][Cc](%28[Ss][0-9A-Za-z]|[0-9A-RT-Za-rt-z]%29[0-9A-Za-z]*|)|[Mm][Aa]([0-9ABD-SU-Zabd-su-z][0-9A-Za-z]*|)|[Ss][Uu][Bb][Ss][Yy][Ss][Tt][Ee](([Mm][0-9A-Za-z]|[0-
-df-z][0-9A-Za-z]_|)|[Ss][Uu][Bb][Ss][Yy][Ss]([0-9A-SU-Za-su-z][0-9A-Za-z]_|)|[Ss][Uu][Bb][Ss][Yy]([0-9A-RT-Za-rt-z][0-9A-Za-z]*|)|[Ss][Uu][Bb][Ss]([0-9A-XZa-xz][0-9A-Za-z]*|)|[Ss][Uu][Bb]([0-9A-RT-Za-rt-z][0-9A-Z
m][0-9B-Zb-z]|[Kk][0-9A-DF-Za-df-z]|[Dd][0-9A-DF-Za-df-z]|[Cc][0-9A-HJ-Za-hj-z]|[Aa][0-9ABD-KM-Zabd-km-z]|[0-9BE-JLN-RT-Zbe-jln-rt-z][0-9A-Za-z])[0-9A-Za-z]*|[Ss]|[Mm]|[Kk]|[Dd]|[Cc]|[Aa]|[0-9BE-JLN-RT-Zbe-jln-rt-
  with tree
    { "X11Forwarding" = "no" } { "PasswordAuthentication" = "yes" } { "AllowTCPForwarding" = "no" } { "AllowGroups" }
Error: /Stage[main]/Main/Node[__node_regexp__a-z0-9-filedrop-d]/Sshd_config[AllowGroups sftp]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.
@mvintila mvintila changed the title AllowUsers does not work with condition. AllowGroups does not work with condition. Oct 14, 2016
@mvintila
Copy link
Author

I should mention that AllowGroups works fine if condition is not specified placing the directive in the global config, but i need it inside a Match conditon.

The same is true for the following directives:

sshd_config { "ChrootDirectory":
  ensure    => present,
  condition => 'LocalPort 2022',
  value     => '/var/sftp/users/%u',
}
sshd_config { "ForceCommand":
  ensure    => present,
  condition => 'LocalPort 2022',
  value     => 'internal-sftp -d /files',
}

@raphink
Copy link
Member

raphink commented Oct 31, 2016

Which version of Augeas are you using?

@bogdan-radocea
Copy link

bogdan-radocea commented Nov 1, 2016
edited
Loading

Augeasproviders_core is 2.1.1
Augeasproviders_ssh is 2.5.0
I'm a colleague of his, working on the same project.

@raphink
Copy link
Member

raphink commented Nov 2, 2016

@bogdan-radocea ok, and what is the version of the Augeas library?

@bogdan-radocea
Copy link

How can I check? :)

@raphink
Copy link
Member

raphink commented Jan 10, 2017

@bogdan-radocea are you using the Puppet AIO packages or your OS packages?

@bogdan-radocea
Copy link

Puppet AIO, installed with: puppet module install

@raphink
Copy link
Member

raphink commented Jan 11, 2017

@bogdan-radocea can you post the content of the sshd_config file that fail?

@bogdan-radocea
Copy link

This is what we want to do:
Port 2022
Match LocalPort 2022
AllowGroups restricted-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp/users/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp -d /files

@raphink
Copy link
Member

raphink commented Jan 11, 2017

Right, but what does the file contain before applying?

@bogdan-radocea
Copy link

standard ubuntu fresh install. so default ubuntu settings:

~$ grep -v ^# /etc/ssh/sshd_config 
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
AddressFamily inet

@raphink
Copy link
Member

raphink commented Oct 19, 2018

I just ran @mvintila's original example on @bogdan-radocea's file without a problem with augeas 1.10.1, ruby-augeas 0.5 and Puppet 5.5.6, 4.10.12 and 6.0.2.

@bogdan-radocea @mvintila can you provide info on a configuration that fails?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mvintila @raphink @bogdan-radocea