Feature request: Use comments to match Match blocks in sshd_config instead of conditions #27
Description
I'm using puppet to define a dynamic IP-based Match blocks like:
sshd_config { 'AuthenticationMethods root trusted_ips':
key => 'AuthenticationMethods',
condition => "User root Address ${ip_filter}",
value => join($methods, ' '),
notify => Service['sshd'],
}
Because the provider of this module uses the condition to check if the setting is already present, whenever the ip_filter change, a new Match block is added to the configuration and the previous one is not touched/modified/replaced/removed.
One solution to this problem would be to insert a comment (e.g. equal to the resource name?) and do the match on this comment instead of using the condition itself.
For the record, I'm currently using the following code to achieve what I need:
$trusted_root_methods = join($methods, ' ')
augeas { 'sshd_2fa_trusted_root_insert':
context => '/files/etc/ssh/sshd_config',
changes => [
'set Match[last()+1]/Condition/User root',
"set Match[last()]/Condition/Address ${ip_filter}",
'set Match[last()]/Settings/#comment "Multifactor root from trusted ip"',
"set \$target/Settings/AuthenticationMethods '${trusted_root_methods}'",
],
before => Augeas['sshd_2fa_trusted_root_verify'],
onlyif => 'match */Settings/#comment[. = "Multifactor root from trusted ip"] size == 0',
notify => Service['sshd'],
}
augeas { 'sshd_2fa_trusted_root_verify':
context => '/files/etc/ssh/sshd_config',
changes => [
'defnode target */Settings/#comment[. = "Multifactor root from trusted ip"]/../.. "Multifactor root from trusted ip"',
'rm $target/Condition',
'set $target/Condition/User root',
"set \$target/Condition/Address ${ip_filter}",
'rm $target/Settings',
'set $target/Settings/#comment "Multifactor root from trusted ip"',
"set \$target/Settings/AuthenticationMethods '${trusted_root_methods}'",
],
onlyif => 'match */Settings/#comment[. = "Multifactor root from trusted ip"] size != 0',
notify => Service['sshd'],
}