README.md

sshd-config

A tool for manipulating an sshd_config file

requirements

golang 1.11+

building

make build

usage

Usage: sshd-config <command> [<key>] [<value>] [--filename=<filename>]
       sshd-config -h | --help
       sshd-config --version

Options:
  -h --help              Show this screen.
  --version              Show version.
  --filename=<filename>  The sshd-config to modify [default: /etc/ssh/sshd_config]

Commands:
   add        Add a value to a key
   get        Get a key's values
   lint       Lint a config against best practices
   set        Set a value on a key
   unset      Unset all instances of a key

linting

Linting runs against the following rules:

• Multiple values only allowed for:
  • AcceptEnv
  • HostKey
  • ListenAddress
  • Port
• The following keys may only have the corresponding values:
  • AuthenticationMethods: publickey
  • HostbasedAuthentication: no
  • IgnoreRhosts: yes
  • PasswordAuthentication: no
  • PermitEmptyPasswords: no
  • PermitRootLogin: no
  • Protocol: 2
  • PubkeyAuthentication: yes
  • StrictModes: yes
  • UsePrivilegeSeparation: yes
• The following keys may have multiple values, but those values must only be within the corresponding list:
  • HostKey: /etc/ssh/ssh_host_ed25519_key, /etc/ssh/ssh_host_rsa_key
  • KexAlgorithms: [email protected], diffie-hellman-group-exchange-sha256
  • Ciphers: [email protected], [email protected], [email protected], aes256-ctr, aes192-ctr, aes128-ctr
  • MACs: [email protected], [email protected], [email protected], hmac-sha2-512, hmac-sha2-256, [email protected]
• The following keys are the only ones that may have an empty value:
  • AuthorizedKeysCommand
  • AuthorizedKeysCommandRunAs
• The following keys may only have one of the corresponding values:
  • AddressFamily: any, inet, inet6
  • Compression: yes, no, delayed
  • GatewayPorts: yes, no, clientspecified
  • LogLevel: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, DEBUG3
  • PermitRootLogin: yes, no, forced-commands-only, without-password
  • PermitTunnel: yes, no, ethernet, point-to-point
  • Protocol: 1, 2, 1,2, 2,1
  • SyslogFacility: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7
• The following keys may comprise of one or more - comma-separated - of the corresponding values (the error will point out an invalid value within the provided list):
  • Ciphers: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, blowfish-cbc, cast128-cbc
• The following keys may only have an integer as a value:
  • ClientAliveCountMax
  • ClientAliveInterval
  • KeyRegenerationInterval
  • LoginGraceTime
  • MaxAuthTries
  • MaxSessions
  • MaxStartups
  • Port
  • ServerKeyBits
  • X11DisplayOffset
• The following keys may only have a value of yes or no:
  • AllowAgentForwarding
  • AllowTcpForwarding
  • ChallengeResponseAuthentication
  • GSSAPICleanupCredentials
  • GSSAPIKeyExchange
  • GSSAPIStrictAcceptorCheck
  • HostbasedAuthentication
  • HostbasedUsesNameFromPacketOnly
  • IgnoreRhosts
  • IgnoreUserKnownHosts
  • KerberosAuthentication
  • KerberosGetAFSToken
  • KerberosOrLocalPasswd
  • KerberosTicketCleanup
  • KerberosUseKuserok
  • PasswordAuthentication
  • PermitEmptyPasswords
  • PermitUserEnvironment
  • PrintLastLog
  • PrintMotd
  • PubkeyAuthentication
  • RhostsRSAAuthentication
  • RSAAuthentication
  • ShowPatchLevel
  • StrictModes
  • TCPKeepAlive
  • UseDNS
  • UseLogin
  • UsePAM
  • UsePrivilegeSeparation
  • X11Forwarding
  • X11UseLocalhost

Any violation of the above rules will result in the error being printed to stderr and non-zero exit code.