a Ug~.@stddlZddlZddlZddlmZddlmZGdddeZGdddeZGd d d eZ d d Z d dZ dS)N)mkstemp)ConfigGeneratorc@seZdZdddddddddddddd d dddddd d Zd ddddddZdddddddZddddddd d!d"d#d$ Zd%d&d'Zd(d)d*d+d,d-d.d/Zd0d1d2d3d4d5d6d7d8d9d: Z d;dd?d@dAdBdCdDd: Z e dEdFZ dGS)HOpenSSHGeneratorzaes256-gcm@openssh.comz aes256-ctrz aes192-ctrzaes128-gcm@openssh.comz aes128-ctrzchacha20-poly1305@openssh.comz aes256-cbcz aes192-cbcz aes128-cbcz3des-cbc)z AES-256-GCMz AES-256-CTRz AES-192-GCMz AES-192-CTRz AES-128-GCMz AES-128-CTRzCHACHA20-POLY1305zCAMELLIA-256-GCMz AES-256-CCMz AES-192-CCMz AES-128-CCMzCAMELLIA-128-GCMz AES-256-CBCz AES-192-CBCz AES-128-CBCzCAMELLIA-256-CBCzCAMELLIA-128-CBCzRC4-128zDES-CBCzCAMELLIA-128-CTSz3DES-CBCzhmac-md5-etm@openssh.comzumac-64-etm@openssh.comzumac-128-etm@openssh.comzhmac-sha1-etm@openssh.comzhmac-sha2-256-etm@openssh.comzhmac-sha2-512-etm@openssh.com)zHMAC-MD5zUMAC-64zUMAC-128z HMAC-SHA1z HMAC-SHA2-256z HMAC-SHA2-512zhmac-md5zumac-64@openssh.comzumac-128@openssh.comz hmac-sha1z hmac-sha2-256z hmac-sha2-512zecdh-sha2-nistp521zecdh-sha2-nistp384zecdh-sha2-nistp256z.curve25519-sha256,curve25519-sha256@libssh.orgzdiffie-hellman-group1-sha1zdiffie-hellman-group14-sha1zdiffie-hellman-group14-sha256zdiffie-hellman-group16-sha512zdiffie-hellman-group18-sha512z"sntrup761x25519-sha512@openssh.com) zECDHE-SECP521R1-SHA2-512zECDHE-SECP384R1-SHA2-384zECDHE-SECP256R1-SHA2-256zECDHE-X25519-SHA2-256zDHE-FFDHE-1024-SHA1zDHE-FFDHE-2048-SHA1zDHE-FFDHE-2048-SHA2-256zDHE-FFDHE-4096-SHA2-512zDHE-FFDHE-8192-SHA2-512zSNTRUP-X25519-SHA2-512z"diffie-hellman-group-exchange-sha1z$diffie-hellman-group-exchange-sha256)zDHE-SHA1z DHE-SHA2-256z gss-gex-sha1-zgss-group1-sha1-zgss-group14-sha1-zgss-group14-sha256-zgss-nistp256-sha256-zgss-curve25519-sha256-zgss-group16-sha512-)z DHE-GSS-SHA1zDHE-GSS-FFDHE-1024-SHA1zDHE-GSS-FFDHE-2048-SHA1zDHE-GSS-FFDHE-2048-SHA2-256zECDHE-GSS-SECP256R1-SHA2-256zECDHE-GSS-X25519-SHA2-256zDHE-GSS-FFDHE-4096-SHA2-512zssh-rsazssh-dssz rsa-sha2-256z rsa-sha2-512zecdsa-sha2-nistp256z"sk-ecdsa-sha2-nistp256@openssh.comzecdsa-sha2-nistp384zecdsa-sha2-nistp521z ssh-ed25519zsk-ssh-ed25519@openssh.com) zRSA-SHA1zDSA-SHA1z RSA-SHA2-256z RSA-SHA2-512zECDSA-SHA2-256zECDSA-SHA2-256-FIDOzECDSA-SHA2-384zECDSA-SHA2-512z EDDSA-ED25519zEDDSA-ED25519-FIDOzssh-rsa-cert-v01@openssh.comzssh-dss-cert-v01@openssh.comz!rsa-sha2-256-cert-v01@openssh.comz!rsa-sha2-512-cert-v01@openssh.comz(ecdsa-sha2-nistp256-cert-v01@openssh.comz+sk-ecdsa-sha2-nistp256-cert-v01@openssh.comz(ecdsa-sha2-nistp384-cert-v01@openssh.comz(ecdsa-sha2-nistp521-cert-v01@openssh.comz ssh-ed25519-cert-v01@openssh.comz#sk-ssh-ed25519-cert-v01@openssh.comc Cs|j}d}d}d}|dD]0} z|||j| |}WqtyHYq0q|r`|d|d7}d}|jddkr|dD]0} z|||j| |}WqztyYqz0qz|jdd kr|dD]0} z|||j| |}WqtyYq0q|r |d |d7}d}d} |d D]&} |d D]} |jd rz$|j| d| } ||| |}WntyrYn0z"|| d| } || | |} WntyYn0|dD]}z*|| d|d| } ||| |}WntyYn0z*|| d|d| } || | |} Wnty6Yn0qq(q| r\|d| d7}n|d7}|rz|d|d7}d}|dD]n} z|||j | |}WntyYn0|jdrz|||j | |}WntyYn0q|r"|r|d|d7}|d|d7}d}|dD]4} z|||j | |}Wnty^Yn0q.|rz|d|d7}|jddkrt }|dur||d|jdd7}|S)Nr,ZcipherzCiphers  ZetmZ DISABLE_ETMZmacZDISABLE_NON_ETMzMACs Z key_exchangehashZarbitrary_dh_groups-groupzGSSAPIKexAlgorithms zGSSAPIKeyExchange no zKexAlgorithms signZ ssh_certszHostKeyAlgorithms zPubkeyAcceptedAlgorithms zCASignatureAlgorithms Z min_rsa_sizer ) Zenabledappend cipher_mapKeyErrorZenums mac_map_etmmac_mapZintegersgx_mapsign_mapsign_map_certs_min_rsa_size_option)clspolicy local_kx_maplocal_gss_kx_map do_host_keypZcfgsepsiZgssZkxhvalgZmin_rsa_optnamer#=/usr/share/crypto-policies/python/policygenerators/openssh.pygenerate_optionsrs              z!OpenSSHGenerator.generate_optionsN) __name__ __module__ __qualname__rrrkx_mapr gss_kx_maprr classmethodr%r#r#r#r$rs    rc@s0eZdZdZhdZeddZeddZdS)OpenSSHClientGeneratoropenssh>zopenssh-clientsshr-cCs&t|j}t|j}|j|||ddS)NFr)dictr)r*r%)rrrrr#r#r$generate_configs    z&OpenSSHClientGenerator.generate_configc Cs tddkrdStdtjs$dStddkrHttdd|}t\}}d}z~t|d }| |Wdn1s0Yzt j d |d dd }Wnt j y| d Yn0Wt|n t|0|r| d| d|dSdS)N OLD_OPENSSH1T /usr/bin/sshOPENSSH_MIN_RSA_SIZE_FORCE.*rwz/usr/bin/ssh -G -F z bogus654_server >/dev/nullshellz/usr/bin/ssh: Execution failed4There is an error in OpenSSH server generated policyPolicy: F)osgetenvaccessX_OKresubrrfdopenwrite subprocesscallCalledProcessErroreprintunlink)rconfigfdpathretfr#r#r$ test_configs. (  z"OpenSSHClientGenerator.test_configN)r&r'r( CONFIG_NAMESCOPESr+r1rOr#r#r#r$r,s  r,c@sLeZdZdZhdZdZeddZeddZedd Z ed d Z d S) OpenSSHServerGeneratorZ opensshserver>r.r-zopenssh-serverz4systemctl try-restart sshd.service 2>/dev/null || : cCs|j||j|jddS)NTr/)r%r)r*)rrr#r#r$r1sz&OpenSSHServerGenerator.generate_configcCsht\}}t|d}ztjd|ddd}WntjyP|dYn0|rd|ddS|S) Nr7z&/usr/bin/ssh-keygen -t rsa -b 3072 -f z -N "" >/dev/nullTr9z%/usr/bin/ssh-keygen: Execution failedz4SSH Keygen failed when testing OpenSSH server policyr)rr=rIrErFrGrH)rZ_fdrLrMr#r#r$ _test_setups    z"OpenSSHServerGenerator._test_setupcCs|rt|dSN)r=rI)rrLr#r#r$ _test_cleanup%sz$OpenSSHServerGenerator._test_cleanupc Cs4tddkrdStdtjs$dStddkrHttdd|}|}|sXdSt\}}d }zt |d }| |Wdn1s0Yz t j d |d |d dd}Wnt j y|dYn0Wt|||nt|||0|r0|d|d|dSdS)Nr2r3Tz/usr/sbin/sshdr5r6rFr7r8z/usr/sbin/sshd -T -h z -f z >/dev/nullr9z /usr/sbin/sshd: Execution failedr;r<)r=r>r?r@rArBrrSrrCrDrErFrGrHrIrU)rrJZhost_key_filenamerKrLrMrNr#r#r$rO*sB (     z"OpenSSHServerGenerator.test_configN) r&r'r(rPrQZ RELOAD_CMDr+r1rSrUrOr#r#r#r$rRs   rRc CsfzHtjddgdtjdj}td|}|rFtdd|DWSWnt t fy`YdS0dS)Nr4z-VF)checkstderrzOpenSSH_(\d+).(\d+)p.*css|]}t|VqdSrT)int).0nr#r#r$ Vz#_openssh_version..) rErunPIPErWdecoderAmatchtuplegroupsFileNotFoundErrorPermissionError)Z ssh_versionZverr#r#r$_openssh_versionPs   recCsBd}td|}|dkrdS|dkr>t}|r:|dkr:dSdS|S)Nz#RequiredRSASizeZOPENSSH_MIN_RSA_SIZEZnoneauto) rZRequiredRSASize)r=r>re)ZMIN_RSA_DEFAULTZmin_rsa_size_forceZopenssh_versionr#r#r$r\s  r) r=rArEZtempfilerZconfiggeneratorrrr,rRrerr#r#r#r$s  P+H