Ask Your Question
0

Augeas /etc/ssh/sshd_config 'Banner' and 'Match Host' Issue

asked 2015-04-06 13:16:53 -0600

br00tal gravatar image

updated 2015-04-06 13:18:46 -0600

Hi everyone. First off, I may be suffering a little from the "staring at this too long" syndrome, because this doesn't seem like it should be too hard or unclear. Maybe a second set of eyes would help!

I have the following two Augeas entries:

augeas { "${sshd_config} banner exclude":
  context => "/files/${sshd_config}",
  changes => [
    "set Match/Condition/Host ${banner_exclude}",
    'set Match/Settings/Banner /dev/null',
  ],
  onlyif  => "match Match/*[Host = ${banner_exclude}] size == 0",
  notify  => Service['sshd'],
}
augeas { "${sshd_config} banner":
  context => "/files/${sshd_config}",
  changes => [
    'ins Banner before Match[1]',
    "set Banner ${banner_file}",
  ],
  notify  => Service['sshd'],
}

In short, I'm trying to ensure 'Banner' is set to '/etc/issue' on all servers, except when logging in from one host ($banner_exclude). Everything works on the first pass. The Match section is created, and then the Banner is added just above that. The second run, however, leads to this:

Error: /Stage[main]/Banner/Augeas[/etc/ssh/sshd_config banner]: Could not evaluate: Saving failed, see debug

I'm assuming I need some sort of onlyif or something, but nothing I tried seemed to work appropriately. Also, I'd like to find a way to ensure that the Match Host section is added last if there happen to be other Match Host blocks in the file already. As of now, it clobbers the first one. After that, the onlyif I added seems to keep everything for getting clobbered again, even if it's not the first Match block anymore. This isn't as big of a deal as the above error, but I'm sure there's a pretty simple way to resolve that issue, too. I tried Match[last()+1], but it seems like the way Match is set up in Augeas isn't really seq like it is for, say, /etc/hosts.

edit retag flag offensive close merge delete

Comments

Stupid Q: But why don't you just distribute a file resource?

Kai Burghardt gravatar imageKai Burghardt ( 2015-04-06 15:50:17 -0600 )edit

(writing as word automatically detects spam): following the principle spelling K, I, S, and another S meaning keep it simple stupid.

Kai Burghardt gravatar imageKai Burghardt ( 2015-04-06 15:51:21 -0600 )edit

Would love to, except our environment, at least in this case, has some unique elements. It's really not something I can adequately explain on this site.

br00tal gravatar imagebr00tal ( 2015-04-06 16:17:20 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2015-04-06 23:03:29 -0600

GregLarkin gravatar image

I haven't tried it, so YMMV, but I think you want to adjust your "set" and "ins" commands somewhat like so:

    "set Match[Host = ${banner_exclude}]/Condition/Host ${banner_exclude}",
    'set Match[Host = ${banner_exclude}]/Settings/Banner /dev/null',
  ],
  onlyif  => "match Match/*[Host = ${banner_exclude}] size == 0",

That will create a new node instead of trashing the first "Match" it finds. I may not have the syntax quite right, but you can probably figure it out with the use of augtool.

The second augeas resource might then look like:

'ins Banner before Match[Host = ${banner_exclude}]',
"set Banner ${banner_file}",

I'm not sure about that "set Banner" command just above. You may need to figure out a way to reference it specifically, and certainly an additional onlyif attribute is required to prevent the resource from being applied continually.

My typical process for determining the best augeas changes commands is to start with the final version of the file that I want. Then I fire up augtool and print the node tree. Once I see how augeas has processed the file and built the path references, I start experimenting with rm, ins, and set commands until I figure out what I need in my Puppet resource.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2015-04-06 13:16:53 -0600

Seen: 1,054 times

Last updated: Apr 06 '15