15-openssh.Rmd

# OpenSSH Policy {#openssh}

```{r, echo=FALSE, out.width="30%", fig.align='center'}
knitr::include_graphics("openssh-images/openssh.png")
```

\index{Policies!OpenSSH}

The OpenSSH Policy allows you to deploy OpenSSH settings to client machines. The policies are applied to a file in the `/etc/ssh/sshd_config.d` directory.

This policy is physically stored on the SYSVOL in **MACHINE/VGP/VTLA** **/SshCfg/SshD/manifest.xml**. The manifest.xml file is in xml format, and is easily modified manually using a text editor.

## Server Side Extension

The Server Side Extensions (SSE) for OpenSSH Policy is administered using the `samba-tool gpo manage openssh` command. This SSE cannot be modified using the GPME.
\index{Server Side Extensions}

### Managing OpenSSH Policy via samba-tool

The `samba-tool gpo manage openssh` command has 2 subcommands; set and list.

```
> samba-tool gpo manage openssh
Usage: samba-tool gpo manage openssh <subcommand>

Manage OpenSSH Group Policy Objects


Options:
  -h, --help  show this help message and exit


Available subcommands:
  list  - List VGP OpenSSH Group Policy from the sysvol
  set   - Sets a VGP OpenSSH Group Policy to the sysvol
```

To set a new OpenSSH rule, call the `samba-tool gpo manage openssh set` command, providing the following arguments:

1. `gpo`: the Group Policy Object (GPO) that you want to modify. This **MUST** be the GUID of the GPO.
2. `setting`: the OpenSSH setting that you want to modify. See the man page for sshd\_config (`man sshd_config`) for a list of possible settings.
3. `value`: the value that you want to set for the specified setting. If you do not provide a value, the policy will be unset.

Here is an example of how you might use this command to set the \linebreak `KerberosAuthentication` to `Yes`:

```sh
samba-tool gpo manage openssh set \
 {31B2F340-016D-11D2-945F-00C04FB984F9} \
 KerberosAuthentication Yes -UAdministrator
```

Then let's list the policy to see what has been set on the SYSVOL.

```
> samba-tool gpo manage openssh list \
 {31B2F340-016D-11D2-945F-00C04FB984F9} -UAdministrator
KerberosAuthentication Yes
```

## Client Side Extension

The OpenSSH Client Side Extension (CSE) will create a new file in the `/etc/ssh/sshd_config.d` directory.
\index{Client Side Extensions}

Let’s list the Resultant Set of Policy to view the policies we’ve created.

```
> sudo /usr/sbin/samba-gpupdate --rsop
Resultant Set of Policy
Computer Policy

GPO: Default Domain Policy
=================================================================
  CSE: vgp_openssh_ext
  -----------------------------------------------------------
    Policy Type: VGP/Unix Settings/OpenSSH
    -----------------------------------------------------------
    [ KerberosAuthentication ] =         Yes
    -----------------------------------------------------------
  -----------------------------------------------------------
=================================================================
```

The `KerberosAuthentication` setting we set is listed as expected.
\index{Resultant Set of Policy}

Let’s now force an apply.

```
sudo /usr/sbin/samba-gpupdate --force
> sudo tdbdump /var/lib/samba/gpo.tdb -k "TESTSYSDM$" \
 | sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" \
 | xmllint --xpath "//gp_ext[@name='VGP/Unix
                                    Settings/OpenSSH']" - \
 | xmllint --format -
<gp_ext name="VGP/Unix Settings/OpenSSH">
  <attribute name="ezMx...Zy5k">
    /etc/ssh/sshd_config.d/gp_c7hytho4
  </attribute>
</gp_ext>
```

Notice that our new policy has been stored in `/etc/ssh/sshd_config.d/gp_c7hytho4`. Let's check the contents of this file to see what was generated.
\index{Group Policy Cache}

```
> sudo cat /etc/ssh/sshd_config.d/gp_c7hytho4

### autogenerated by samba
#
# This file is generated by the vgp_openssh_ext Group Policy
# Client Side Extension. To modify the contents of this file,
# modify the appropriate Group Policy objects which apply
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
#

KerberosAuthentication Yes
```

Our policy was successfully applied.