Remove blank lines in rendered ssh_config and sshd_config

[johnnybubonic]

The conf files you generate are either broken or render to eyesores such as this:

# The contents of the original sshd_config are kept on the bottom for
# quick reference.
# See the sshd_config(5) manpage for details

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation sandbox
SyslogFacility AUTHPRIV
LogLevel INFO
ClientAliveInterval 1
ClientAliveCountMax 300
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
MaxAuthTries 6
MaxSessions 5
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
ChallengeResponseAuthentication no
AuthenticationMethods publickey
PasswordAuthentication no
Banner /etc/ssh/banner
AcceptEnv XMODIFIERS
Subsystem sftp /usr/lib/ssh/sftp-server
UsePAM yes

AllowUsers root


AllowGroups root

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

Match Group sftpusers #sftp_chroot
    AllowTcpForwarding no

    ChrootDirectory /sftp-chroot/%u

    ForceCommand internal-sftp

    X11Forwarding no

Yes, including trailing whitespace.

I'd remove the blank lines between UsePAM/AllowUsers/AllowGroups, and remove the blank lines between all items in the Match section as well as the trailing blank lines. These blank lines make the config harder to visually parse, as they are separating logical sections that should be together.

[myii]

@johnnybubonic I haven't made any contributions to this repo so I can only speak in general. My inclination is to agree with the points you are raising but I've recently been made aware of a situation which complicates things. It started with an issue and PR in the postgres-formula:

• jinja strip white spaces option in salt master config causes a broken pg_hba.conf postgres-formula#241
• Edit pg_hba template to work with jinja 'trim whitespaces' option on salt master postgres-formula#244

The problem was that a fix for some is a whitespace bomb for others -- as I mentioned in my comment regarding the fix.

This led back to a stale issue in the main repo. After various discussions, that issue has been re-opened, so hopefully we can attain consistency when making fixes such as the ones you are suggesting.

[johnnybubonic]

@myii Thanks for bringing that upstream issue to my attention re: per-file trimming etc. I've subscribed to it to follow. It's a good thing SSH doesn't have whitespace-dependent parsing! I can only imagine the headache for things that do.

I think a lot of it - at least for this issue, for openssh-formula - can be addressed by just getting rid of the majority if not all of the macros. They're superfluous - many times they're used where simple for-loops could just be used instead with raw whitespacing in the template rather than trying to macro out the whitespacing/indentation and linebreaking. It seems to largely be an unnecessary complication. Alternatively, changing to something like a raw py template instead would probably be a lot more elegant.

[johnnybubonic]

or one could just use the augeas state instead.

[alxwr]

I think a lot of it - at least for this issue, for openssh-formula - can be addressed by just getting rid of the majority if not all of the macros. They're superfluous - many times they're used where simple for-loops could just be used instead with raw whitespacing in the template rather than trying to macro out the whitespacing/indentation and linebreaking. It seems to largely be an unnecessary complication. Alternatively, changing to something like a raw py template instead would probably be a lot more elegant.

@johnnybubonic If the resulting template is generally easier to understand, I'll be happy to merge your PR. Please stick to SLS. While it may not always be as elegant as Python, it lowers the bar for contributions.

[johnnybubonic]

sure - i'll try to get a PR in. not sure when that'll be exactly (i'm.. in the middle of converting our infra over to salt, obviously...), but i'll keep it to SLS. would you be OK with using the augeaus state in addition/instead? it should be part of salt core.

[alxwr]

@johnnybubonic AFAIK augeas needs additional python libraries on the minion. Therefore I (and I think others) favor SLS templates.

Have a look at https://github.com/saltstack-formulas/systemd-formula/blob/master/TOFS_pattern.md too, if you want to use alternative template files.