3 ."d @sdddlmZmZddlmZddlZddlmZGdddeZGdd d eZ Gd d d eZ dS) )callCalledProcessError)mkstempN)ConfigGeneratorc@seZdZdZdddddddddddddd d dddddd d Zd ddddddZdddddddZddddddd d!d"d# Zd$d%d&Zd'd(d)d*d+d,d-d.Z d/d0d1d2d3d4d5d6d7Z d8d9d:d;dd?d7Z e d@dAZ dBS)COpenSSHGeneratorzaes256-gcm@openssh.comz aes256-ctrz aes192-ctrzaes128-gcm@openssh.comz aes128-ctrzchacha20-poly1305@openssh.comz aes256-cbcz aes192-cbcz aes128-cbcz3des-cbc)z AES-256-GCMz AES-256-CTRz AES-192-GCMz AES-192-CTRz AES-128-GCMz AES-128-CTRzCHACHA20-POLY1305zCAMELLIA-256-GCMz AES-256-CCMz AES-192-CCMz AES-128-CCMzCAMELLIA-128-GCMz AES-256-CBCz AES-192-CBCz AES-128-CBCzCAMELLIA-256-CBCzCAMELLIA-128-CBCzRC4-128zDES-CBCzCAMELLIA-128-CTSz3DES-CBCzhmac-md5-etm@openssh.comzumac-64-etm@openssh.comzumac-128-etm@openssh.comzhmac-sha1-etm@openssh.comzhmac-sha2-256-etm@openssh.comzhmac-sha2-512-etm@openssh.com)zHMAC-MD5zUMAC-64zUMAC-128z HMAC-SHA1z HMAC-SHA2-256z HMAC-SHA2-512zhmac-md5zumac-64@openssh.comzumac-128@openssh.comz hmac-sha1z hmac-sha2-256z hmac-sha2-512zecdh-sha2-nistp521zecdh-sha2-nistp384zecdh-sha2-nistp256z.curve25519-sha256,curve25519-sha256@libssh.orgzdiffie-hellman-group1-sha1zdiffie-hellman-group14-sha1zdiffie-hellman-group14-sha256zdiffie-hellman-group16-sha512zdiffie-hellman-group18-sha512) zECDHE-SECP521R1-SHA2-512zECDHE-SECP384R1-SHA2-384zECDHE-SECP256R1-SHA2-256zECDHE-X25519-SHA2-256zDHE-FFDHE-1024-SHA1zDHE-FFDHE-2048-SHA1zDHE-FFDHE-2048-SHA2-256zDHE-FFDHE-4096-SHA2-512zDHE-FFDHE-8192-SHA2-512z"diffie-hellman-group-exchange-sha1z$diffie-hellman-group-exchange-sha256)zDHE-SHA1z DHE-SHA2-256z gss-gex-sha1-zgss-group1-sha1-zgss-group14-sha1-zgss-group14-sha256-zgss-nistp256-sha256-zgss-curve25519-sha256-zgss-group16-sha512-)z DHE-GSS-SHA1zDHE-GSS-FFDHE-1024-SHA1zDHE-GSS-FFDHE-2048-SHA1zDHE-GSS-FFDHE-2048-SHA2-256zECDHE-GSS-SECP256R1-SHA2-256zECDHE-GSS-X25519-SHA2-256zDHE-GSS-FFDHE-4096-SHA2-512zssh-rsazssh-dssz rsa-sha2-256z rsa-sha2-512zecdsa-sha2-nistp256zecdsa-sha2-nistp384zecdsa-sha2-nistp521z ssh-ed25519)zRSA-SHA1zDSA-SHA1z RSA-SHA2-256z RSA-SHA2-512zECDSA-SHA2-256zECDSA-SHA2-384zECDSA-SHA2-512z EDDSA-ED25519zssh-rsa-cert-v01@openssh.comzssh-dss-cert-v01@openssh.comz!rsa-sha2-256-cert-v01@openssh.comz!rsa-sha2-512-cert-v01@openssh.comz(ecdsa-sha2-nistp256-cert-v01@openssh.comz(ecdsa-sha2-nistp384-cert-v01@openssh.comz(ecdsa-sha2-nistp521-cert-v01@openssh.comz ssh-ed25519-cert-v01@openssh.comc&Cs|j}d}d}d}x>|dD]2} y|j||j| |}Wqtk rLYqXqW|rh||jjd|7}d}|jdrx>|dD]2} y|j||j| |}Wqtk rYqXqWx>|dD]2} y|j||j| |}Wqtk rYqXqW|r||jjd|7}d}d} xF|dD]8} x.|d D] } |jd ry$|j | d | } |j|| |}Wntk rYnXy"|| d | } |j| | |} Wntk rYnXx|d D]}y*|| d |d | } |j|| |}Wntk r YnXy*|| d |d | } |j| | |} Wntk rLYnXqWq4Wq"W| rz||jjd | 7}n||jjdd7}|r||jjd|7}d}x|dD]v} y|j||j | |}Wntk rYnX|jddkry|j||j | |}Wntk r$YnXqW|r\|rJ||jjd|7}||jjd|7}d}xB|dD]6} y|j||j | |}Wntk rYnXqjW|r||jjd|7}|S)Nr,ZcipherZCiphersZssh_etmZmacZMACsZ key_exchangehashZarbitrary_dh_groups-groupZGSSAPIKexAlgorithmsZGSSAPIKeyExchangenoZ KexAlgorithmsZsignZ ssh_certsrZHostKeyAlgorithmsZPubkeyAcceptedKeyTypesZCASignatureAlgorithms) Zenabledappend cipher_mapKeyError_FORMAT_STRINGformatZintegers mac_map_etmmac_mapgx_mapsign_mapsign_map_certs)clspolicy local_kx_maplocal_gss_kx_mapZ do_host_keypcfgsepsiZgssZkxhvalgr$>./usr/share/crypto-policies/python/policygenerators/openssh.pygenerate_optionsls       z!OpenSSHGenerator.generate_optionsN)__name__ __module__ __qualname__rrrrkx_mapr gss_kx_maprr classmethodr&r$r$r$r%rsrc@s6eZdZdZdddhZdZeddZeddZd S) OpenSSHClientGeneratoropensshsshzopenssh-clientz{0} {1} cCs$t|j}t|j}|j|||dS)NF)dictr*r+r&)rrrrr$r$r%generate_configs  z&OpenSSHClientGenerator.generate_configcCstjdtjsdSt\}}d}z^tj|d}|j|WdQRXytd|ddd}Wntk rz|jdYnXWdtj |X|r|jd |jd |d SdS) Nz /usr/bin/sshTwz/usr/bin/ssh -G -F z bogus654_server >/dev/null)shellz/usr/bin/ssh: Execution failedz-There is an error in OpenSSH generated policyz Policy: %sF) osaccessX_OKrfdopenwriterreprintunlink)rconfigfdpathretfr$r$r% test_configs&    z"OpenSSHClientGenerator.test_configN) r'r(r) CONFIG_NAMESCOPESrr,r1rAr$r$r$r%r-s   r-c@sReZdZdZdddhZdZdZeddZed d Z ed d Z ed dZ dS)OpenSSHServerGeneratorZ opensshserverr/r.zopenssh-serverz4systemctl try-restart sshd.service 2>/dev/null || : z -o{0}={1} cCsDt|j}t|j}|d=|d=|j|||d}|j}d|dS)NzDHE-FFDHE-1024-SHA1zDHE-GSS-FFDHE-1024-SHA1TzCRYPTO_POLICY='')r0r*r+r&rstrip)rrrrrr$r$r%r1s  z&OpenSSHServerGenerator.generate_configc Csft\}}tj|d}ytd|ddd}Wntk rN|jdYnX|rb|jddS|S) Nr2z&/usr/bin/ssh-keygen -t rsa -b 2048 -f z -N "" >/dev/nullT)r4z%/usr/bin/ssh-keygen: Execution failedz4SSH Keygen failed when testing OpenSSH server policyr)rr5r;rrr:)rZ_fdr>r?r$r$r% _test_setup s    z"OpenSSHServerGenerator._test_setupcCs|rtj|dS)N)r5r;)rr>r$r$r% _test_cleanupsz$OpenSSHServerGenerator._test_cleanupcCstjdtjsdS|j}|s"dSt\}}d}zftj|d}|j|WdQRXy td|d|ddd }Wntk r|j d YnXWdtj ||j |X|r|j d |j d |dSdS) Nz/usr/sbin/sshdTFr2r3z/usr/bin/bash -c 'source z( && /usr/sbin/sshd -T $CRYPTO_POLICY -h z -f /dev/null' >/dev/null)r4z /usr/sbin/sshd: Execution failedz4There is an error in OpenSSH server generated policyz Policy: %s) r5r6r7rGrr8r9rrr:r;rH)rr<Zhost_key_filenamer=r>r?r@r$r$r%rA#s0     z"OpenSSHServerGenerator.test_configN) r'r(r)rBrCZ RELOAD_CMDrr,r1rGrHrAr$r$r$r%rDs   rD) subprocessrrZtempfilerr5Zconfiggeneratorrrr-rDr$r$r$r%s  C(